Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Management & Strategy

Zerodium Offers $1 Million for Tor Browser Exploits

Exploit acquisition firm Zerodium announced on Wednesday that it’s prepared to offer a total of $1 million for zero-day vulnerabilities in the Tor Browser, the application that allows users to access the Tor anonymity network and protect their privacy.

Exploit acquisition firm Zerodium announced on Wednesday that it’s prepared to offer a total of $1 million for zero-day vulnerabilities in the Tor Browser, the application that allows users to access the Tor anonymity network and protect their privacy.

The controversial company plans on selling the obtained exploits to its government customers to allegedly help them identify people that use Tor for drug trafficking and child abuse, and “make the world a better and safer place for all.”

Zerodium is looking for Tor Browser exploits that work on Windows and Tails, a security and privacy-focused Linux distribution. While the highest rewards can be earned for exploits that work on “high” security settings with JavaScript blocked, the company is also prepared to pay out significant amounts of money for exploits that work only with JavaScript allowed, which is the “low” security setting in Tor Browser.

An exploit that allows both remote code execution and local privilege escalation can earn up to $250,000 if it works on both Windows 10 and Tails 3.x with JavaScript blocked. If the exploit works on only one of the operating systems, it can still be worth up to $200,000.

A remote code execution exploit that does not include privilege escalation capabilities is worth up to $185,000 with JavaScript blocked. Exploits that require JavaScript to be enabled can earn up to $125,000 if they include both code execution and privilege escalation, and $85,000 if it’s only for code execution. The minimum bounty is $75,000 for an RCE-only exploit that works on either Windows or Rails.

Zerodium explained that the exploit must work silently and the only allowed user interaction is visiting a specially crafted web page. Exploits that require controlling or manipulating Tor nodes, or ones that can disrupt the Tor network will not be accepted.

“With the increased number (and effectiveness) of exploit mitigations on modern systems, exploiting browser vulnerabilities is becoming harder every day, but still, motivated researchers are always able to develop new browser exploits despite the complexity of the task, thanks to their skills and a bit of scripting languages such as JavaScript,” Zerodium said.

The Tor Browser bounty will run until November 30, but it may be closed earlier if the $1 million reward pool is paid out.

Advertisement. Scroll to continue reading.

This is not the first time the company is offering $1 million. Back in 2015, it reportedly paid this amount to a single hacker team who discovered a remote browser-based untethered jailbreak for iOS 9.1.

Zerodium announced last month that it’s prepared to pay up to $500,000 for remote code execution and privilege escalation vulnerabilities affecting popular instant messaging and email applications.

Related: Zerodium Boosts Bounty for iOS Exploit to $1.5 Million

Related: Zerodium Offers $100,000 for Flash Exploit Mitigation Bypass

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Discover strategies for vendor selection, integration to minimize redundancies, and maximizing ROI from your cybersecurity investments. Gain actionable insights to ensure your stack is ready for tomorrow’s challenges.

Register

Dive into critical topics such as incident response, threat intelligence, and attack surface management. Learn how to align cyber resilience plans with business objectives to reduce potential impacts and secure your organization in an ever-evolving threat landscape.

Register

People on the Move

Cyber exposure management firm Armis has promoted Alex Mosher to President.

Software giant Atlassian has named David Cross as its new CISO.

Dan Pagel has been named the new CEO of risk management and remediation firm Brinqa.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.