Security Experts:

Connect with us

Hi, what are you looking for?


Cloud Security

Zerodium Offers $500,000 for VMware ESXi, Microsoft Hyper-V Exploits

Exploit acquisition firm Zerodium this week announced that it’s prepared to pay up to $500,000 for VMware ESXi and Microsoft Hyper-V vulnerabilities.

Exploit acquisition firm Zerodium this week announced that it’s prepared to pay up to $500,000 for VMware ESXi and Microsoft Hyper-V vulnerabilities.

The company says it’s looking for ESXi (vSphere) and Hyper-V exploits that allow guest-to-host escapes. The exploits need to work on default configurations, they must be reliable, and they have to allow the attacker to gain full access to the host.

Zerodium looking for Hyper-V and ESXi exploits

Until now, Zerodium has been offering up to $200,000 for ESXi virtual machine escapes — the payout was increased earlier this year from $100,000.

“We are increasing the payouts for VMWare ESXi exploits to attract and encourage more researchers into auditing the security of this hypervisor as we firmly believe that there are many critical vulnerabilities affecting it and our government customers are in need of such exploits,” Chaouki Bekrar, founder and CEO of Zerodium, told SecurityWeek.

Microsoft Hyper-V was not part of the company’s bug bounty program until now.

“Hyper-V was not part of our bounty program as there was low to no interest in this product from our customers,” Bekrar explained. “However, we’ve recently observed a significant increase in demand for Hyper-V exploits and we have decided to add it to our program.”

It’s worth noting that Microsoft offers up to $250,000 for Hyper-V vulnerabilities through its bug bounty program.

Bekrar says Zerodium will offer up to $500,000 for Hyper-V and ESXi zero-day exploits for a couple of months and then it will decide if the payouts will be reduced or kept at this level depending on the number of submissions received from researchers.

Zerodium offers up to $2 million for high-quality exploits. The company says the information it acquires is provided to customers, which it claims are mainly government organizations “in need of specific and tailored cybersecurity capabilities and/or protective solutions to defend against zero-day attacks.”

Earlier this year, Zerodium announced that it’s prepared to pay up to $2 million for remote iOS jailbreaks and $1 million for vulnerabilities in popular chat applications, including WhatsApp, iMessage and SMS/MMS apps.

Related: Zerodium Discloses Flaw That Allows Code Execution in Tor Browser

Related: Zerodium Offers $45,000 for Linux 0-Days

Related: Zerodium Offers $500,000 For Messaging, Email App Exploits

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Management & Strategy

Industry professionals comment on the recent disruption of the Hive ransomware operation and its hacking by law enforcement.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Management & Strategy

Tens of cybersecurity companies have announced cutting staff over the past year, in some cases significant portions of their global workforce.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.