With millions of iPhones upgrading to iOS in recent days, security researchers are paying unprecedented sums for flaws in the new operating system. An exploit trader named Zerodium has announced a million-dollar bounty for any new flaws in iOS 9, allowing an attacker to compromise a non-jailbroken device through a web page, in-app browsing action, or text message. Because software downloads are tightly managed through the App Store, such flaws are particularly difficult to execute on iOS devices. But as the recent Xcode compromise demonstrates, the app store's protections can still be circumvented.
Researchers looking to claim the bounty will face an uphill battle, in part because of the strict time limit. To qualify, Zerodium requires a full chain of undisclosed exploits circumventing every aspect of Apple's exploit mitigation measures, and executed remotely, silently and entirely through a browser or text. As such, vulnerabilities like the recent Bluetooth attack would not qualify.
There's also a strict time limit: Zerodium is requiring all entries to be submitted by October 31st. That gives any researcher without an iOS developer credential less than two months to develop and deploy a proof of concept for the exploit, making it likely that the allotted period will pass without anyone successfully claiming the bounty. Still, the price tag alone will be enough to entice many researchers to try. It's the highest publicly reported price for a single exploit, and even though such trades are often secret, it appears to be well above the market rate. In 2013, an exploit trader reportedly commanded $500,000 for an undisclosed exploit in an earlier version of iOS.