In September, Zerodium announced its "Million Dollar iOS Bug Bounty" contest, offering a cool mil to anyone who could hack Apple's iOS 9 and expose its security flaws. On Monday the cybersecurity startup tweeted it has a winner—an anonymous team, Digital Tech reports, that was able to set up an attack "on a fully updated iOS 9 device … remotely, reliably, silently, and without requiring any user interaction except visiting a web page or reading a SMS/MMS," per contest rules. That winning "jailbreak" now gives Zerodium the ability to sell the hack to its choice of customers, which company founder Chaouki Bekrar tells Wired include "major corporations in defense, technology, and finance" and "government organizations in need of specific and tailored cybersecurity capabilities."
Bekrar says that two teams were actually neck and neck in racing to achieve the "zero-day" attack—finding a software vulnerability that the vendor doesn't even know about and then sneaking through that hole to plant a virus or other malware, per Wired—"but only one has made a full and remote jailbreak. … The other team made a partial jailbreak and they may qualify for a partial bounty." Bekrar also says he has no plans to let Apple in on the specific vulnerabilities so it can work up a patch, though he may do so "later" (i.e., after his company has profited). Wired points out that while Zerodium selling software exploits isn't technically illegal, companies like it have been blasted as "modern-day merchants of death" for hawking "the bullets for cyberwar," and Bekrar himself has been called an "ethically challenged opportunist" by a Google security team member. No word from Apple yet, Wired notes. (This man submitted some "lame" bugs and won a big bounty.)