“Give us an iOS 9 zero-day and we’ll give you $1 million”

A new security company known as Zerodium has come up with a 7-figure way to make a very loud splash as it enters the field.

It’s got $1 million (about £651,000) in bug bounty money burning a hole in its pocket, and it’s looking to spend it on what’s thought to be the biggest bounty ever publicly offered for a technique that can successfully break into an iPhone or iPad running Apple’s newly released iOS 9.

The statement on Zerodium’s website announcing the bounty describes iOS as being a worthy target, given Apple’s work to make it secure:

Due to the increasing number of security improvements and the effectiveness of exploit mitigations in place, Apple's iOS is currently the most secure mobile OS.

But just because it’s tough to break it doesn’t make breakage impossible, Zerodium says:

Don’t be fooled, secure does not mean unbreakable, it just means that iOS has currently the highest cost and complexity of vulnerability exploitation and here’s where the Million Dollar iOS 9 Bug Bounty comes into play.

The company says it’s willing to pay the bounty multiple times, though it may cap the payouts at $3 million.

According to its site, Zerodium is willing to pay out more for zero-days than other bug bounty programs because it’s interested in quality more than quantity:

The majority of existing vulnerability acquisition programs focus on the quantity instead of quality so they usually acquire any kind of vulnerabilities but pay researchers low rewards. At ZERODIUM we pay higher rewards as we only focus on and acquire high-risk vulnerabilities with fully functional/reliable exploits affecting modern operating systems, software, and devices.

To qualify for the hefty bounty, the initial attack has to work through:

• A webpage targeting either the mobile Safari or Google Chrome browsers in their default configuration,
• A webpage targeting any app reachable through the browser, or
• A text message or a media file delivered through an SMS or MMS message.

Zerodium, launched in July, may well be new, but founder Chaouki Bekrar is a familiar face in the zero-day industry, and he’s no stranger to discovering zero-days and figuring out how best to cash in on them.

Bekrar is the founder of the French firm Vupen, which has been atypically, unabashedly frank about developing intrusion techniques for popular software that it then sells to government agencies around the world.

Likewise, Zerodium describes its customers as being “major corporations in defense, technology, and finance, in need of advanced zero-day protection, as well as government organizations in need of specific and tailored cybersecurity capabilities.”

During the 2012 Pwn2Own contest, Vupen was responsible for bringing Chrome’s boastful track record of fending off attacks crashing down.

As Forbes told the story, Vupen had declined to enter Google’s contest and instead dismantled Chrome’s security to win an HP-sponsored hackathon at the same conference.

Bekrar couldn’t be bothered with Google’s piddly $60,000 award, paid to each of the two hackers who won its event on the condition that they tell Google every detail of their attacks and help the company fix the vulnerabilities they had used.

Bekrar said that Vupen never had the slightest intention of telling Google its secret techniques – and most certainly not for chump change:

We wouldn't share this with Google for even $1 million. We don't want to give them any knowledge that can help them in fixing this exploit or other similar exploits. We want to keep this for our customers.

Saving serious zero-days for paying customers to use in secret – instead of alerting the companies whose technologies are being picked apart – is likewise going to be the modus operandi for Zerodium, which is requiring that any iOS bug discovered is not to be reported to Apple or publicly disclosed.

In fact, Bekrar has admitted in past interviews that he’s not sure where his tools wind up or what they’re used for.

From a 2012 interview with Forbes’s Andy Greenberg:

We do the best we can to ensure it won't go outside that agency. But if you sell weapons to someone, there's no way to ensure that they won’t sell to another agency.

The practice of turning a blind eye to what buyers do with the hacking tools, and whether they’re being used with or without warrants or in violation of human rights, has caused ACLU lead technologist Chris Soghoian to deem Vupen a “modern-day merchant of death” that sells “the bullets for cyberwar.”

As Wired frames it, the fat iOS bounty ushers Bekrar into a new role: instead of just creating zero-days, he’s now entering into the business of brokering them.

If any of the zero-days Zerodium is setting itself up to broker reaches our attention, we’ll be sure to bring it to public attention.

But with its business plan and hush-hush practices, it seems highly unlikely that we’ll hear about these zero-days – at least, perhaps not until another Edward Snowden rises to enlighten us all.

Image of $1M dollar bill courtesy of Shutterstock.com