Exploit acquisition firm Zerodium is apparently trying to attract bug bounty hunters by making public the amounts of money it’s prepared to award for various vulnerabilities in popular software.
The highest payout, up to $500,000, can be earned for a high quality zero-day exploit targeting Apple iOS. From September 21 through October 31, Zerodium ran a special bug bounty program offering up to $1 million for an iOS 9 exploit. The company said only one team won the bounty with a full chain of exploits for a remote and untethered iOS 9.1 and 9.2 jailbreak.
After the announcement that someone hacked iOS 9, Chaouki Bekrar, founder of the controversial security firm Vupen and the man behind Zerodium, said on Twitter that despite the remote jailbreak he still feels safe using his iPhone and pointed out that attacking iOS costs ten times more than Android.
Judging by the money offered by Zerodium for an Android zero-day exploit, it costs only five times more to hack iOS compared to Android — the company is offering up to $100,000 for both Android and Windows Phone remote jailbreaks.
In the case of Adobe Reader, Flash Player and Chrome, the maximum bounty is $80,000 for a remote code execution and sandbox escape combo. Bounty hunters can earn up to $50,000 for virtual machine (VM) escapes, RCE and sandbox escapes in Internet Explorer/Edge and Safari, and an RCE in Flash Player.
RCE exploits for Chrome, IE, Edge, Tor Browser, Firefox and Safari are awarded with up to $30,000. The same amount can be earned for exploits targeting Windows, Mac OS X, Linux, Microsoft Office, and the Windows Reader app.
Experts who manage to hack antiviruses, OpenSSL, PHP, Sendmail, Postfix, Exchange Server and Dovecot can get up to $40,000, the same amount as for an ASLR bypass. The lowest rewards, up to $5,000, are for forum software and content management systems (CMSs).
Zerodium claims to provide its services to major defense, technology and finance corporations that need advanced zero-day protection, and government organizations requiring specific and tailored security capabilities.
Zerodium’s premium rewards might be tempting for many bug bounty hunters considering that tech giants such as Google and Microsoft pay far less for similar vulnerabilities. Furthermore, the Mobile Pwn2Own competition, which last year had a prize pool of more than $400,000, this year lost its main sponsor, HP, which cited concerns related to Japan’s implementation of the controversial Wassenaar Arrangement.
The 2015 Mobile Pwn2Own took place as usual alongside the PacSec conference in Tokyo, but there were only a couple participants.
Some of the experts who usually practice responsible disclosure might be tempted to report their findings to companies like Zerodium if high-paying competitions like Pwn2Own lose their sponsors.

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
More from Eduard Kovacs
- Industrial Giant ABB Confirms Ransomware Attack, Data Theft
- Zyxel Firewalls Hacked by Mirai Botnet
- New Russia-Linked CosmicEnergy ICS Malware Could Disrupt Electric Grids
- Drop in Insider Breaches Drives Decline in Intrusions at OT Organizations
- Zero-Day Vulnerability Exploited to Hack Barracuda Email Security Gateway Appliances
- OAuth Vulnerabilities in Widely Used Expo Framework Allowed Account Takeovers
- New Honeywell OT Cybersecurity Solution Helps Identify Vulnerabilities, Threats
- Rheinmetall Says Military Business Not Impacted by Ransomware Attack
Latest News
- Industrial Giant ABB Confirms Ransomware Attack, Data Theft
- Organizations Worldwide Targeted in Rapidly Evolving Buhti Ransomware Operation
- Google Cloud Users Can Now Automate TLS Certificate Lifecycle
- Zyxel Firewalls Hacked by Mirai Botnet
- Watch Now: Threat Detection and Incident Response Virtual Summit
- NCC Group Releases Open Source Tools for Developers, Pentesters
- Memcyco Raises $10 Million in Seed Funding to Prevent Website Impersonation
- New Russia-Linked CosmicEnergy ICS Malware Could Disrupt Electric Grids
