$1 Million Private Zero-Day Bounty Reward for iOS 9

A team of hackers recently landed a bounty of $1 million for reporting three iOS 9.x and Google Chrome vulnerabilities to a private company that deals with selling exploits to corporations and governments on a subscription basis.

The remote browser-based vulnerabilities reportedly work for iPhone 6 and iPhone 5 lines, iPad Air 2 and Air, iPad 4 and 3, and the iPad mini 4 and iPad mini 2, according to one of the eligibility conditions proposed by the bounty-offering company.

“No software other than iOS really deserves such a high bug bounty,” founder Chaouki Bekrar told Vulture South. “Our bounty required much more work than a classic jailbreak as it had to be remote and browser-based, so this required two to three additional zero-days compared to a public jailbreak. The exploit chain includes a number of vulnerabilities affecting both Google Chrome browser and iOS, and bypassing almost all mitigations in place.”

Those wanting to find out more about the exploit, or actually make use of it, will have to pay – an undisclosed sum of money – to the company. Considering that iOS zero-day vulnerabilities that enable untethered jailbreak are hard to find, it’s likely the company will charge its customers rather large amounts of cash.

The company said the vulnerability will first be reported to their customers, after which Apple will be informed of the details of the vulnerabilities. While some sell zero-day exploits in a controversial practice, some security researchers continue to openly disclose vulnerabilities without requiring remuneration.