If you can jailbreak an iPhone or iPad remotely, you get $1 million.
If you can find a way to hack the new iPhones and iPads, you can win one million dollars.
That's the huge bug bounty offered by the notorious zero-day exploits merchant Chaouki Bekrar, through his new startup Zerodium. The firm announced the bounty on Monday, challenging security researchers and hackers to find unknown vulnerabilities and exploits in Apple's new iOS 9 operating system.
Tech companies such as Google or Facebook have offered bug bounties for years, but there's also a controversial gray market of middle-men firms, such as Zerodium, that offer to buy and resell high-value zero-day bugs and exploits to intelligence agencies around the world.
To win the challenge, the exploit needs to allow the attacker using it to remotely install an arbitrary app with full privileges on a new iOS 9 device such as the iPhone 6s or the new iPads—essentially jailbreaking it. Also, the attack needs to work via Apple's browser Safari, Google Chrome, or via text or multimedia message, according to the bounty's requirements.
The reward, which Zerodium says is the highest it's ever offered for a bug, is justified because Apple's iOS 9 "is currently the most secure mobile [operating system]."
"Secure does not mean unbreakable."
"But don't be fooled, secure does not mean unbreakable," Zerodium wrote in its press release, which set October 31 as deadline for the challenge, offering up to three rewards of $1 million.
"We believe that one million US dollars is high enough to motivate many talented researchers and entice them to accept this highly technical challenge," Bekrar told Motherboard in an email.
Jonathan Zdziarski, a well-known security researcher who's studied Apple devices for years, said that the reward is a "massive bounty."
"The only reason to pay for this [zero-day] is to exploit it on a major scale (not to report it to Apple and have it fixed)," Zdziarski told Motherboard in a Twitter direct message.
That means, he added, that "there's a nation state behind it," but it's likely not the United States or the UK, because those two governments would try to find this exploit privately and not be so public about it.
Zdziarski added that the bounty is so high because "exploits like this used to be pretty common but not in recent years."
"The only reason to pay for this [zero-day] is to exploit it on a major scale (not to report it to Apple and have it fixed)."
Some security researchers reacted with surprise to the announcement.
"Uau! Someone finally came public with the unicorn pricetag," said security researcher Pedro Vilaça, who has also done research on Apple's operating systems.
Vilaça told Motherboard via Twitter that he's not sure anyone will come forward to claim the bounty. However, he added that "that kind of exploit is not an unicorn," given that in the past some researchers have proven that it's possible to exploit Apple's desktop operating system Mac OS X in a similar way.
Apple, who doesn't have a bug bounty program, did not respond to a request for comment by the time of publication.
Bekrar declined to say how much it will cost Zerodium customers to buy the exploit, or have information about it. He only said that the exploit or exploits "will be made available, with defensive measures, to our customers which are government organizations and Fortune 500 companies."
If the winners agree, however, Bekrar said that Zerodium "may publish the number of winner and their continent," but not their country.
"Details will not be published of course," he told me.