In the escalating market for security vulnerabilities, a new milestone has been recorded early in the new year, with $2 million now being offered for a remote Apple iOS exploit.
The $2 million award is being offered by vulnerability acquisition firm Zerodium, which first achieved global notoriety for offering $1 million for an iOS 9 zero-day exploit back in September 2015. In September 2016, Zerodium increased its top iOS exploit award to a $1.5 million, which has now been topped by the $2 million bounty.
In most bug bounty programs, including managed programs offered by HackerOne and Bugcrowd as well as Trend Micro's Zero Day Initiative (ZDI), security researchers disclose previously unknown "zero-day" vulnerabilities and are then given a financial award. The bug bounty program vendors then disclose the vulnerability privately to the impacted vendor. That's not how Zerodium works; instead, the company sells the vulnerabilities to its own clients, which includes governments.
"ZERODIUM customers are mainly government organizations in need of specific and tailored cybersecurity capabilities and/or protective solutions to defend against zero-day attacks," the company states in an FAQ about its services. "Access to ZERODIUM solutions and capabilities is highly restricted and is only available to a very limited number of organizations."
Zerodium to date has never publicly disclosed information on any of the Apple vulnerabilities it has acquired and how they may have been used.
The $2M Bounty
Getting a $2 million bounty is no easy task on the latest iOS operating system, which is why it has been given such a high value. Specifically, Zerodium has stated that the award is for an Apple iOS remote jailbreak that can be achieved with no clicks required by the end user while maintaining persistence on the device, even after it is rebooted. Zerodium will award $1.5 million for an iOS vulnerability that enables a remote jailbreak that can be achieved with a single click.
Zerodium isn't the only firm that has offered money to researchers who disclose Apple iOS vulnerabilities. At the Mobile Pwn2Own event in November 2018, Trend Micro's ZDI awarded researchers for disclosing multiple zero-days in iOS. However, none of the flaws discovered at Pwn2Own was a remote jailbreak, though researchers were able to demonstrate interesting WiFi and browser bugs that enabled code execution and data exfiltration.
ZDI awarded one researcher $60,000 for an iOS sandbox escape, which is a far cry from the $2 million that Zerodium is offering at the top end. For further context, what ZDI pays out is more than the average bug bounty. Bugcrowd reported in its 2018 State of the Bug Bounty report that the average bug bounty across its managed programs in 2018 was $781.
What Zerodium is looking for is not a trivial bug and might not even be a bug that exists. That's what makes it so valuable and why the company is willing to pay so much for it. With a remote, zero-click jailbreak, an attacker potentially could take over a fully patched iPhone and do whatever they want, including installing software and discovering data.
It's the messaging aspect that is perhaps the most valuable item to Zerodium and, by extension, its customers. In addition to the higher payout for the iOS vulnerability, Zerodium also increased payouts for other targets. A remote code execution flaw in SMS for Apple's iMessage or the WhatsApp applications will now yield a $1 million award, up from $500,000. It's not just mobile either that Zerodium is going after, as it is offering a $1 million bounty for a zero-click remote code execution flaw in Windows as well. Previously, Zerodium had valued a Windows remote code execution at $500,000.
The escalating award amounts from Zerodium is just further proof that software bugs have value, which should come as no surprise. Software bugs aren't just business-critical issues anymore. In many cases, they have even broader implications as modern society itself increasingly relies on software to function.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.