Security Experts:

Zerodium Offers $1 Million for Tor Browser Exploits

Exploit acquisition firm Zerodium announced on Wednesday that it’s prepared to offer a total of $1 million for zero-day vulnerabilities in the Tor Browser, the application that allows users to access the Tor anonymity network and protect their privacy.

The controversial company plans on selling the obtained exploits to its government customers to allegedly help them identify people that use Tor for drug trafficking and child abuse, and “make the world a better and safer place for all.”

Zerodium is looking for Tor Browser exploits that work on Windows and Tails, a security and privacy-focused Linux distribution. While the highest rewards can be earned for exploits that work on “high” security settings with JavaScript blocked, the company is also prepared to pay out significant amounts of money for exploits that work only with JavaScript allowed, which is the “low” security setting in Tor Browser.

An exploit that allows both remote code execution and local privilege escalation can earn up to $250,000 if it works on both Windows 10 and Tails 3.x with JavaScript blocked. If the exploit works on only one of the operating systems, it can still be worth up to $200,000.

A remote code execution exploit that does not include privilege escalation capabilities is worth up to $185,000 with JavaScript blocked. Exploits that require JavaScript to be enabled can earn up to $125,000 if they include both code execution and privilege escalation, and $85,000 if it’s only for code execution. The minimum bounty is $75,000 for an RCE-only exploit that works on either Windows or Rails.

Zerodium explained that the exploit must work silently and the only allowed user interaction is visiting a specially crafted web page. Exploits that require controlling or manipulating Tor nodes, or ones that can disrupt the Tor network will not be accepted.

“With the increased number (and effectiveness) of exploit mitigations on modern systems, exploiting browser vulnerabilities is becoming harder every day, but still, motivated researchers are always able to develop new browser exploits despite the complexity of the task, thanks to their skills and a bit of scripting languages such as JavaScript,” Zerodium said.

The Tor Browser bounty will run until November 30, but it may be closed earlier if the $1 million reward pool is paid out.

This is not the first time the company is offering $1 million. Back in 2015, it reportedly paid this amount to a single hacker team who discovered a remote browser-based untethered jailbreak for iOS 9.1.

Zerodium announced last month that it’s prepared to pay up to $500,000 for remote code execution and privilege escalation vulnerabilities affecting popular instant messaging and email applications.

Related: Zerodium Boosts Bounty for iOS Exploit to $1.5 Million

Related: Zerodium Offers $100,000 for Flash Exploit Mitigation Bypass

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.