The deadline for Zerodium’s iOS 9 bug bounty officially ended last month, and the company announced today that one team managed to claim the million-dollar prize by providing an improbable hack that allows attackers to remotely jailbreak the newest iPhone operating system.
— Zerodium (@Zerodium) November 2, 2015
Because zero-day vulnerabilities are so highly sought after, it’s unclear whether Zerodium will actually share the exploit with Apple. The security-research company provides its exploits only to its customers, which include government agencies like the National Security Agency that use zero-day exploits to snoop on users’ messages, email, phone calls and more.
Zerodium founder Chaouki Bekrar told Wired that two teams tried to claim the bounty, but one only made a partial exploit.
“Two teams have been actively working on the challenge but only one has made a full and remote jailbreak,” said Bekrar. “The other team made a partial jailbreak and they may qualify for a partial bounty (unconfirmed at this time).”
Bekar says that the company may eventually tell Apple’s engineers the details of the technique to help them patch against an attack later. However, it’s ready to cash in on the prized exploit by selling all the technical details its customers that include “major corporations in defense, technology, and finance… and government organizations in need of specific and tailored cybersecurity capabilities.”