Expand / Collapse search
Watch TV
Menu

This material may not be published, broadcast, rewritten, or redistributed. ©2024 FOX News Network, LLC. All rights reserved. Quotes displayed in real-time or delayed by at least 15 minutes. Market data provided by Factset. Powered and implemented by FactSet Digital Solutions. Legal Statement. Mutual Fund and ETF data provided by Refinitiv Lipper.

iPhone

iOS9 is the target of the biggest bug bounty ever: $1 million

By John Casaretto Digital Trends
Published | Updated
397ba61c-APPLE-IPHONE

File photo - Customers hold the iPhone 6s during the official launch at the Apple store in central Sydney, Australia, Sept. 25, 2015. (REUTERS/David Gray)

An enormous new challenge has been set for the information security community, what's known as a "bug-bounty" -- a cash reward in return for the discovery of vulnerabilities. For researchers, getting such prizes can be both lucrative and a point of pride. This week, the largest bug-bounty award ever in the amount of $1 million has set security researchers into a race to be the first. The target is iOS 9, and the challenge asks for a browser-based, untethered jailbreak of the operating system.

Previous bug programs have featured payout in the hundreds or even thousands of dollars, and in a handful of cases, on the order of a hundred thousand dollars. But a million bucks? That'll buy a lot of 10-hour energy drinks.

Related: What is the ‘Stagefright’ hack and how can you defend yourself?

The company behind the bounty is known as Zerodium. The startup presents itself as a zero-day vulnerability and exploit acquisition program, meaning that being on the cutting edge of vulnerabilities is critical to its business model. The company reports security information that it collects from independent researchers on to clients through a security-research news feed. This information includes analysis, documentation, and protective measures.

Bug bounties have emerged as a popular way to discover vulnerabilities throughout the security community. It's a way to accelerate the discovery of security flaws before they emerge in the wild. Zerodium is prepared to pay out a total of up to $3 million in prizes for various exploits, according to contest details explained on the company's webpage:

There's a catch however -- a deadline of 6 p.m. on October 31, 2015 for this particular program. So crackers, get cracking.

Related: Apple to alert affected users about major iOS security breach

There are numerous indicators that suggest the web engine known as Webkit will be a prime vector in the hunt for this bug; WebKit is the core rendering engine in Apple's Safari web browser, after all. Google's Chrome browser uses a forked version of the same rendering engine called Blink. Both Webkit and Blink have been the target of repeated research projects as it is a component that has produced a number vulnerabilities and has been a primary path to successful exploits.

Although this research is initially oriented at the enterprise, the discovery of any significant bugs will undoubtedly reach the greater community as fixes and updates emerge to address them. Just this week, news emerged about another threat to the Apple ecosystem in the form of malware-compromised apps that had to be taken offline.