In what is being clubbed as the world's biggest zero-day bug bounty program, Zerodium, the zero-day acquisition platform, announced bounty of one million dollars for researchers who can provide the firm with exploits for Apple's latest iPhones.
The company said that it would distribute $3 million to each to those who can demonstrate a workable, remote and untethered jailbreak that will persist even after reboot.
Jailbreaks see iOS exploited to the point that the user has total control over what they can install on the phone, said Chaouki Bekrar, CEO of Zerodium and Vupen.
The quality of security protections in Apple’s latest iPhone operating system was the basis of the confidence of the company and the high price of the bounty, said Bekrar.
“iOS is the most secure mobile OS as of today and Zerodium is buying all kinds of stuff, why not iOS?” he says.
The company website details the requirements for the jailbreak and the complete set of rules that include a stipulation that the jailbreaks must work on iPhone 6 or the iPhone 6s. To get hold of the $1 million bounty, a hacker would have to Apple’s Safari, Google’s Chrome browser or a text message to attack the phone. This, experts claim is possible only for the most talented of hacker. There is also a time limit to the hacking - 6pm ET 31 October, Halloween, and to submit the details of the research.
An astonishing $100,000 to $150,000 each week was being paid by the company to researchers who’d disclosed exploits and zero-days – unpatched and previously-unknown vulnerabilities, claimed Bekrar.
“We have paid for a fair amount of exploits in Internet Explorer, Chrome, Firefox, Flash, Office and Android,” Bekrar added.
Mobile exploits are amongst the highest paid with prize money as high as $100,000 while those researchers resorting to browser attacks can earn as much as $50,000 and up to $40,000 for attacks on Microsoft Office products.
Bekrar said that $100,000 were paid for the findings of researcher Joshua Drake after he disclosed the critical Stagefright zero-days in Google Android.
The details of the bounty were not disclosed primarily because of the business model of the company that deals with disclosures of vulnerabilities to paying customers only.
Leaving users unprotected the company does not inform the vendors of the affected products and flaws remain in their software. there are strong critics of this business format and Chris Soghoian, principal technologist and senior policy analyst at ACLU had described Vupen as “a modern-day merchant of death”.
Despite the criticism, the exploit market is growing and according to the Forbes magazine, the going price for such exploits was at least $1 million and possibly even higher.
Due to the vast number of third-party app stores, it is reported that Chinese giants, including Alibaba, were inadvertently funding the jailbreak scene.
However whoever the ultimate buyer for the jailbreak may be, right now the $1 million is up for grabs to the most talented of hackers from anywhere on the globe.
(Source:www.forbes.com)
The company said that it would distribute $3 million to each to those who can demonstrate a workable, remote and untethered jailbreak that will persist even after reboot.
Jailbreaks see iOS exploited to the point that the user has total control over what they can install on the phone, said Chaouki Bekrar, CEO of Zerodium and Vupen.
The quality of security protections in Apple’s latest iPhone operating system was the basis of the confidence of the company and the high price of the bounty, said Bekrar.
“iOS is the most secure mobile OS as of today and Zerodium is buying all kinds of stuff, why not iOS?” he says.
The company website details the requirements for the jailbreak and the complete set of rules that include a stipulation that the jailbreaks must work on iPhone 6 or the iPhone 6s. To get hold of the $1 million bounty, a hacker would have to Apple’s Safari, Google’s Chrome browser or a text message to attack the phone. This, experts claim is possible only for the most talented of hacker. There is also a time limit to the hacking - 6pm ET 31 October, Halloween, and to submit the details of the research.
An astonishing $100,000 to $150,000 each week was being paid by the company to researchers who’d disclosed exploits and zero-days – unpatched and previously-unknown vulnerabilities, claimed Bekrar.
“We have paid for a fair amount of exploits in Internet Explorer, Chrome, Firefox, Flash, Office and Android,” Bekrar added.
Mobile exploits are amongst the highest paid with prize money as high as $100,000 while those researchers resorting to browser attacks can earn as much as $50,000 and up to $40,000 for attacks on Microsoft Office products.
Bekrar said that $100,000 were paid for the findings of researcher Joshua Drake after he disclosed the critical Stagefright zero-days in Google Android.
The details of the bounty were not disclosed primarily because of the business model of the company that deals with disclosures of vulnerabilities to paying customers only.
Leaving users unprotected the company does not inform the vendors of the affected products and flaws remain in their software. there are strong critics of this business format and Chris Soghoian, principal technologist and senior policy analyst at ACLU had described Vupen as “a modern-day merchant of death”.
Despite the criticism, the exploit market is growing and according to the Forbes magazine, the going price for such exploits was at least $1 million and possibly even higher.
Due to the vast number of third-party app stores, it is reported that Chinese giants, including Alibaba, were inadvertently funding the jailbreak scene.
However whoever the ultimate buyer for the jailbreak may be, right now the $1 million is up for grabs to the most talented of hackers from anywhere on the globe.
(Source:www.forbes.com)
