Industry News

$1 Million Private Zero-Day Bounty Reward for iOS 9

A team of hackers recently landed a bounty of $1 million for reporting three iOS 9.x and Google Chrome vulnerabilities to a private company that deals with selling exploits to corporations and governments on a subscription basis.

The remote browser-based vulnerabilities reportedly work for iPhone 6 and iPhone 5 lines, iPad Air 2 and Air, iPad 4 and 3, and the iPad mini 4 and iPad mini 2, according to one of the eligibility conditions proposed by the bounty-offering company.

“No software other than iOS really deserves such a high bug bounty,” founder Chaouki Bekrar told Vulture South. “Our bounty required much more work than a classic jailbreak as it had to be remote and browser-based, so this required two to three additional zero-days compared to a public jailbreak. The exploit chain includes a number of vulnerabilities affecting both Google Chrome browser and iOS, and bypassing almost all mitigations in place.”

Those wanting to find out more about the exploit, or actually make use of it, will have to pay – an undisclosed sum of money – to the company. Considering that iOS zero-day vulnerabilities that enable untethered jailbreak are hard to find, it’s likely the company will charge its customers rather large amounts of cash.

The company said the vulnerability will first be reported to their customers, after which Apple will be informed of the details of the vulnerabilities. While some sell zero-day exploits in a controversial practice, some security researchers continue to openly disclose vulnerabilities without requiring remuneration.

About the author

Liviu ARSENE

Liviu Arsene is the proud owner of the secret to the fountain of never-ending energy. That's what's been helping him work his everything off as a passionate tech news editor for the past couple of years. He is the youngest and most restless member of the Bitdefender writer team and he covers mobile malware and security topics with fervor and a twist. His passions revolve around gadgets and technology, and he's always ready to write about what's hot and trendy out there in geek universe.

1 Comment

Click here to post a comment
  • I believe that the practice of selling Zero day exploits is a bit off putting. This type of information should be free flowing, for a better cyber security ecosystem. It seems to me to go against everything open source.