Exploit vendor Zerodium, a company started by VUPEN founder Chaouki Bekrar, today announced it will host a month-long million-dollar bug bounty focused on Apple iOS 9.
Bekrar said in a statement there is a $3 million pool available for the bounty, which will close on Oct. 31 or earlier if the total payout to researchers reaches the $3 million mark.
“Zerodium will pay out one million U.S. dollars to each individual or team who creates and submits to Zerodium an exclusive, browser-based, and untethered jailbreak for the latest Apple iOS 9 operating system and devices,” Bekrar said.
To be eligible, submissions must include a chain of unknown, unpublished and unreported vulnerabilities and exploits that is able to bypass the numerous mitigations native to iOS 9, including ASLR, code signing and bootchain.
“The exploit/jailbreak must lead to and allow a remote, privileged, and persistent installation of an arbitrary app (e.g. Cydia) on a fully updated iOS 9 device,” the statement said. Attacks must begin, the conditions say, via a webpage targeting mobile versions of Safari or Chrome, or any application reachable through the browser. Attacks can also initiate via text messages or multimedia files sent over SMS or MMS.
“The whole exploitation/jailbreak process should be achievable remotely, reliably, silently, and without requiring any user interaction except visiting a web page or reading a SMS/MMS,” Zerodium said.
Attacks that require physical access, or are carried out over Bluetooth, NFC or baseband are not eligible, the company said, adding that the only devices in scope are iPhone 5 and later, and iPad Air, Air 2, third-and fourth-generation iPads, and iPad mini 2 and 4.
Zerodium launched in late July with a focus on buying high-risk zero-day vulnerabilities only, and for all major platforms and third-party applications such as Adobe products. Mobile platforms, including Android, BlackBerry and Windows Phone in addition to iOS, are also in scope for Zerodium as are the major web and email servers. The attacks it purchases will be built into a feed of vulnerabilities, exploits and defensive capabilities for its customers.
“Zerodium does not acquire theoretically exploitable or non-exploitable vulnerabilities. We only acquire zero-day vulnerabilities with a fully functional exploit whether including only one stage or multiple stages e.g. browser exploits with or without a sandbox bypass/escape are both eligible,” the company says.
A host of exploit vendors operate in this controversial market of finding and buying bugs from researchers, and selling them. Ironically, VUPEN has shied away from buying vulnerabilities, and Bekrar has said many times that his company sells only to democratic, non-sanctioned governments. Since this year’s breach of Italy’s HackingTeam exposed almost all of the company’s secrets, it was confirmed that not all of the vendors operating in this space follow the same creed.
HackingTeam, for one, was atop that list after documents stolen in the breach and published online showed that the surveillance software vendor was selling to the governments of Sudan, Egypt and Ethiopia, all considered oppressive regimes and under European Union sanctions. HackingTeam’s Remote Control System software is marketed to law enforcement and intelligence agencies as a tool to remotely compromise computers and mobile devices in order to monitor communication. This activity has been called on the carpet not only by security researchers but also by human rights groups.