A cyber-security company is offering £645K to any individual or team who can create an “exclusive, browser-based, and untethered jailbreak for the latest Apple iOS 9 operating system and devices,” according to a company blog post.
Zerodium wrote that it has up to £1.9 million to reward for iOS exploits and/or jailbreaks. Eligible submissions must have a “full chain of unknown, unpublished and unreported vulnerabilities/exploits” that are combined to bypass “all iOS 9 exploit mitigations.” That includes ASLR, sandboxes, rootless, code signing and bootchain, the company said.
The initial attack vector must also be either a web page targeting a mobile browser in its default configuration, a text message and/or multimedia file delivered through SMS or MMS, or a web page targeting any application reachable through the browser.
All submissions must be made through encrypted emails.
Ken Westin, senior security analyst at Tripwire emailed SC to comment: “The fact that Zerodium is willing to pay $1M for iOS exploits may actually be a vote of confidence in the security of iOS. The price tag of the exploit does raise questions about who Zerodium believes they can sell these exploits to and what that party (or parties) may want to do with them.
"Although jailbreaking is popular amongst hobbyists to expand the functionality of their phones it's is also used for espionage and malicious purposes. My guess is that Zerodium/VUPEN already have customers lined up willing to pay considerably more than the bounty for these exploits.”