A security firm that hunts for undiscovered software bugs is offering $1 million to the first hacker that breaks Apple’s mobile operating system.
The company, Zerodium, compiles what are known as “zero days,” or security flaws that are unknown to the software manufacturer. Its $1 million offer is the largest such bounty ever offered.
{mosads}“Apple iOS, like all operating systems, is often affected by critical security vulnerabilities, however due to the increasing number of security improvements and the effectiveness of exploit mitigations in place, Apple’s iOS is currently the most secure mobile OS,” the company said in a statement announcing the bounty. “But don’t be fooled, secure does not mean unbreakable.”
“Bug bounties” are becoming increasingly popular as companies struggle to keep up with an onslaught of cyber intrusions. In May, United Airlines began offering free miles to people who uncover security flaws in its websites and digital infrastructure.
The terms of Zerodium’s offer require hackers not to disclose the vulnerability to Apple, so that its customers can use the hack in secret. According to the company’s website, its clients include “major corporations in defense, technology, and finance, in need of advanced zero-day protection, as well as government organizations in need of specific and tailored cybersecurity capabilities.”
Founder Chaouki Bekrar has faced fierce criticism for exploiting zero-day flaws for profit — ACLU lead technologist Chris Soghoian has called him a “modern-day merchant of death,” selling “the bullets for cyberwar.”
Bekrar is unapologetic.
“We do the best we can to ensure it won’t go outside that agency,” Bekrar told Wired in 2012. “But if you sell weapons to someone, there’s no way to ensure that they won’t sell to another agency.”
Zerodium has offered to pay out the $1 million bounty up to three times for different flaws, but only for vulnerabilities in Apple’s newly released iOS 9 operating system.
— Cory Bennett contributed