14 DAY TRIAL // Zerodium, a company that acquires and sells security vulnerabilities in various products, has launched a bug bounty program through which it will pay $1 million / €0.89 million to hackers who find vulnerabilities in Apple's recently launched iOS 9.
As a business, Zerodium is a company in the same category as the Hacking Team, a security vendor that sells security exploit kits and espionage tools to governments and enterprises.
While previously this kind of business was relegated to the Dark Web, all of a sudden, in recent years, people have lost their moral compass and are willing to accept this kind of business model as a legitimate activity.
Sure, the company may be activating in the gray area between crime and legality, but as the Hacking Team hack proved this summer, this doesn't guarantee a business like Zerodium won't sell its tools to governments, which will then use them to spy and oppress its citizens.
Now, with the recent launch of iOS 9, which many industry experts are lauding as the most secure iOS release to date, Zerodium has found itself in the difficult situation of not being able to cater exploit kits for this new version.
Zerodium is looking for zero-day flaws in iOS 9
For this, the company has put out a so-called "Bug Bounty" program, agreeing to pay up to $3 million / €2.67 million for the first 3 zero-day exploits found in Apple's iOS 9.
Their bug bounty program will be open until October 31, or until the $3 million pool is paid up to the first hackers who submit their exploits.
To be declared eligible, a submission must be able to bypass all iOS 9 exploit mitigations, like ASLR, sandboxes, rootless, code signing, and bootchain.
Additionally, all exploits must be kept secret and not published or reported somewhere else, which makes sense since Zerodium wants to build top-of-the-line hacking tools out of them.
To be considered a winner, an exploit must allow for "a remote, privileged, and persistent installation of an arbitrary app on a fully updated iOS 9 device."
The winning exploits must be remotely usable
This means that a fully usable exploit must allow the hackers to gain control of an iOS 9 device by fooling the user to access a Web page or by opening an SMS or MMS message.
Zeroidum also requires the exploit to be completely silent, with no popups or user interaction needed from the user.
Basically, Zerodium wants to allow its clients to hack iOS 9 devices from afar, without needing to be in close contact with the victim, in their Bluetooth's range, or by requiring physical access to the device.
The exploit must be usable on the following devices: iPhone 6s, iPhone 6s Plus, iPhone 6, iPhone 6 Plus, iPhone 5, iPhone 5c, iPhone 5s, iPad Air 2, iPad Air, iPad (3rd generation), iPad (4th generation), iPad mini 4, and iPad mini 2.