Zerodium makes it clear that it wants "exclusive" iOS 9 exploits, meaning that once they sell the exploits to the company, researchers are not allowed to share them with anyone else, including Apple.
The company probably plans to sell the acquired iOS 9 exploits to multiple governments, said Robert Graham, the CEO of cybersecurity firm Errata Security, in a blog post Monday.
Graham believes that such an iOS 9 exploit chain that needs to take advantage of multiple vulnerabilities in order to achieve its goal would normally be worth around $300,000.
"If they can sell it to four different countries for $300,000, they'll make a profit," he said. "On the other hand, some countries will pay more for exclusive access to a bug — paying for the privilege of cyber-superiority."
According to Graham, other companies or researchers who are in the business of selling zero-day exploits likely already have working attacks for iOS 9. That's because prior to its official launch recently, the OS was available for developers as a beta version, so there was enough time to find exploitable bugs in it.
The offer of $1 million, however, could provide enough incentive for some people working on public jailbreaks for the iOS community, to sell them instead.
Sign up for CIO Asia eNewsletters.