Ladies and gentlemen, start your engines.
The cybersecurity firm Zerodium announced on Monday that it will reward $1 million to anyone able to crack Apple’s (AAPL) recently launched iOS 9 operating system, which the startup’s website claims is “the world’s most secure mobile OS.”
“Apple iOS, like all operating system, is often affected by critical security vulnerabilities, however due to the increasing number of security improvements and the effectiveness of exploit mitigations in place, Apple’s iOS is currently the most secure mobile OS,” the company stated in its blog post. “But don’t be fooled, secure does not mean unbreakable, it just means that iOS has currently the highest cost and complexity of vulnerability exploitation and here’s where the Million Dollar iOS 9 Bug Bounty comes into play.”
Zerodium was founded this past summer by Chaouki Bekrar, a well-known merchant of zero-day exploits—or computer code that attacks previously unknown software vulnerabilities. His new startup said it is prepared to pay out a total of $3 million to as many as three hacking teams or individuals for successful attacks.
Apple, which is often lauded for its tight security, did not immediately respond to Fortune’s request for comment. (In an unrelated incident that was a rare lapse for the company, malware-laced apps recently made their way into the company’s app store in China.)
Bekrar also founded the controversial French cybersecurity firm Vupen, a brokerage built on the sale of computer bugs and exploits. Unlike Vupen, which handled all of its own research internally, Zerodium’s business is built on accepting submissions from external researchers. Both companies, however, rely on not disclosing their vulnerability findings to affected companies, such as Apple, Google (GOOG), or Microsoft (MSFT).
Instead, they sell them to the highest bidder, whether that be a law enforcement or spy agency, or another corporation.
When the so-called Stagefright vulnerability, which affected Google’s Android operating system, went public earlier this year, Bekrar said he would have paid the researcher who discovered the flaw $100,000 for it. (For more on Stagefright, read this.)
Christopher Soghoian, chief technologist at the American Civil Liberties Union, has referred to such businesses as “modern-day merchants of death,” since it can be difficult to keep track of where sold exploits end up and just as hard to prevent them from falling into the hands of oppressive regimes.
The zero-day trade industry is one which often operates out of the public spotlight, although a recent hacking of the Italian spyware firm Hacking Team helped expose some of its inner workings through leaked emails and other documents.
In order to claim the prize, which is the largest on record for an exploit of this sort, hackers must be able to demonstrate that they can remotely take control of the latest iOS devices such as the iPhone 6s or new iPads. For a full rundown of the rules and stipulations, see Zerodium’s website.
“For obvious security reasons, ZERODIUM does not maintain any web infrastructure dedicated to zero-day submissions. All submissions to ZERODIUM must be achieved through encrypted emails,” the website states (where one might expect a submission form). “We reserve the right, at our sole discretion, to make or to not make an offer to acquire a vulnerability for any/no reason.”
Whether the competition is a PR stunt for Bekrar’s new company or a legitimate contest, Fortune cannot say for certain.
Katie Moussouris, chief policy officer at the bug bounty startup HackerOne, told Fortune via email that such high prices for zero-day exploits could cause problems for tech companies attempting to secure their products. “These are not generally sustainable reward levels for defensive markets,” she wrote, “due to the difficulty in maintaining the necessary developer and tester employees who might just leave their day jobs if bounties like this are more common.”
Fittingly, submissions are due by Halloween: Oct. 31, 2015 at 6:00 P.M. (eastern standard time). Trick or treat, hackers.
Updated (Sept. 22, 2015): Below are comments provided to Fortune via email by Zerodium founder Chaouki Bekrar.
1. Why $ 1 million?
We believe that one million US dollars is high enough to motivate many talented researchers and entice them to accept this highly technical challenge.
2. Whom do you plan to sell the potential exploits to, if acquired? And
for how much money?All acquired security research is made available to our customers which
include both government organizations and Fortune500 customers :-)We cannot discuss financial information.
3. How much does Zerodium typically pay out for zero days? What are the most common types?
As of today, Zerodium has acquired various zero-day exploits mostly
affecting web browsers on Windows (Internet Explorer, Chrome, Firefox)
and Android. We’re currently spending between $400,000 to $600,000 per
month for vulnerability acquisitions, and we expect to spend around
$1,000,000 US dollars per month before the end of this year additionally
to the iOS bug bounty.
