Tags: bounty, iOS9, zero-day, zerodium
A few days ago, a mainstream media channel asked the Damballa Threat Discovery Center our opinion about the newest and biggest cyber threats facing US business and law enforcement. We responded that the business of Zero Day exploits is on the rise.
Today Zerodium, a Zero-Day buy and sell market launched by Vupen, (a vulnerability and exploit broker) announced they would offer a $1 million dollar bounty for any iOS 9 exploit or jailbreak.
This follows their announcement last week about bounties they were in the market for, including mobile exploits, browsers, Flash and Microsoft Office.
While security forums don’t have much chatter about this topic yet, it’s all over Twitter. While there is no insight into a specific buyer, we can assume if an exploit for iOS 9 is found, Zerodium will sell it for way more than $1 million.
Finding an iOS 9 security breach would have severe repercussions for millions of iPhone users, which have traditionally been given a higher grade for security than Android because of their ‘walled garden’ approach to Apps. Any developer who wants to do business in the App Store has their code reviewed by Apple first.
The exploit business has been alive and well for a long time. No law enforcement authorities have gone after them yet, and if they did, it could get messy. Who is it to blame? The person who finds the exploit, the company who buys it or the people who use it?
Only time will tell if the iOS 9 bounty is up for grabs but Damballa’s Threat Discovery Center will continue to monitor the situation.
For more information about Bug Bounty programs, read our previous blog about Bitdefender.
— Loucif Kharouni
Senior Threat Researcher, Damballa