Will $1 million iOS bug bounty compel Apple to pay for software flaws?

Zerodium, a firm that counts spy agencies as customers, has offered to pay $1 million for information about holes in Apple’s mobile operating system, alarming civil liberties advocates and highlighting Apple’s unwillingness to pay researchers for similar work.

A sales assistant shows features of iOS 9 on an Apple iPhone 6 at an Apple reseller shop in Bangkok.

Chaiwat Subprasom/Reuters

September 25, 2015

One million dollars is a princely sum to pay for a previously unknown – or "zero day" – software vulnerability, even for one in Apple's mobile operating system.

But that's the carrot that newly formed cybersecurity firm Zerodium is dangling in front of hackers, researchers, developers, or anyone else who can deliver a method for compromising the security of iOS or "jailbreak" it by defeating the company's notoriously tough content protection technology.

The offer, announced Monday, sent ripples through a global marketplace in which technology firms, government agencies, even a few cybercriminal groups pay handsomely for exploits. It is also casting a harsh light on one notable holdout in that marketplace: Apple, the world's wealthiest corporation. 

Opinion: Why bug hunting security researchers are Digital Age heroes

In what amounts to a technology grey market, spy agencies buy vulnerabilities from brokers such as Zerodium to use in attacks or defend themselves from other buyers. In the business world, software firms will purchase information on vulnerabilities to patch products and protect their consumers. But Zerodium's "Million Dollar iOS 9 Bug Bounty" raises the stakes in the bug-hunting marketplace to incredible new heights. 

Security researchers and digital rights groups alike say the company's hunt for iOS vulnerabilities threatens to make security worse for everyone, setting off a gold rush for flaws in iOS 9 that could end up in the wrong hands. In comparison, Microsoft's $100,000 bounty – considered a high sum for a company to pay for bugs it plans to patch – pales in comparison.

If his track record is any indication, that's what Zerodium founder Chaouki Bekrar is banking on. An offshoot of the French security firm VUPEN, which Mr. Bekrar also founded, Zerodium launched in July to tailor the talents of top security researchers with clients looking for vulnerabilities. At VUPEN, Bekrar employed some of the world’s best technical talent to uncover exploitable holes in commonly used software for the benefit of VUPEN’s clients.

In an e-mail, Bekrar described his current customers as "both Fortune 500 companies as well as three letter agencies." It is the latter that has digital rights groups concerned about his high-priced bounties.

"There are many experienced researchers already working on iOS exploits or stockpiling iOS zero days for various reasons," he wrote. "We believe that many of these talents will be attracted by the bounty and will definitely succeed."

That's troubling to Andrew Crocker, a staff attorney at the Electronic Frontier Foundation, who has researched the US government’s practice of buying information about software vulnerabilities. Using a Freedom of Information Act request, Mr. Crocker was able to get a copy of the government's Vulnerabilities Equities Process – the guidelines that the government and intelligence services use to acquire and deploy software vulnerabilities.

"It’s an open secret that the government uses vulnerabilities for both offensive and defensive purposes," said Crocker. "And this isn't just vulnerabilities they discover, but those they acquire from other sources."

Crocker said that the practice of buying vulnerabilities from vendors such as Zerodium presents many problems. The least of those is that buying the information has the potential to make governments complicit in allowing software vulnerabilities to fester. And, because nation-states or cybercriminals might discover the same holes, such activity may put the public at risk, he notes.

One way to counter this, experts say, is for Apple to join other leading technology firms in paying researchers who discover flaws in its devices and software. 

"The only effective way to combat this is [to] open up their bug bounty," said Mark Litchfield, founder of Bug Bounty HQ and one of the world’s top independent vulnerability researchers.

While competitors such as Google, Facebook, Twitter, and Microsoft have all launched vulnerability "bounty" programs in recent years, Apple has stuck to a policy of not paying for information about holes in its software. Instead, the company offers a "Hall of Fame," giving credit to researchers who find bugs on its webpage.

Top researchers note that praise on Apple’s website is a thin gruel when compared with the bounties paid by other tech firms. Information on vulnerabilities that allow remote code execution can fetch $10,00 to $100,000 – or more.

Apple is hardly the only prominent tech firm to abstain from cash rewards. Adobe and Oracle have also held back from launching that kind of program. But with the world's most valuable (and visible) technology brand, and more than $200 billion in cash on hand, Apple is in a unique position.

If nothing else, it could effortlessly corner the market on information on vulnerabilities in its software – offering generous rewards that would attract the best researchers in the world and lock up the bulk of zero days. But Mr. Litchfield said that the company wouldn’t have to offer anywhere near $1 million to tap into what he sees as pent up demand among researchers to crack their knuckles on Apple’s products.

"Clearly they would never offer [$1 million] but if they can give some reasonable bounty amounts I am sure they would have some great issues reported to them responsibly,” he said.

By doing so, Apple would undercut efforts of cyberarms dealers and third-party research firms such Zerodium, Litchfield and others agree.   

Apple did not respond to multiple requests for comment about the Zerodium bounty or its own plans regarding bug bounties.

While an employee at Microsoft, Katie Moussouris helped establish their $100,000 reward. She said such bounties "appeal to those who want to make a nontrivial amount of cash, plus get all the glory for helping to secure the ecosystem." 

The $1 million Zerodium bounty "can't be outbid effectively in the defense market," said Ms. Moussouris, now chief policy officer of HackerOne, a firm that helps other companies set up and run bug bounty programs. 

But she added that the monetary award comes with hidden costs: The "additional tax of knowing it will likely be used in an attack."

Editor's note: This story was updated after publication to correct the location of Zerodium. The firm is based in the US.