Connect with us

Hi, what are you looking for?



Zerodium Publishes Prices for Zero-Day Exploits

Exploit acquisition firm Zerodium is apparently trying to attract bug bounty hunters by making public the amounts of money it’s prepared to award for various vulnerabilities in popular software.

Exploit acquisition firm Zerodium is apparently trying to attract bug bounty hunters by making public the amounts of money it’s prepared to award for various vulnerabilities in popular software.

The highest payout, up to $500,000, can be earned for a high quality zero-day exploit targeting Apple iOS. From September 21 through October 31, Zerodium ran a special bug bounty program offering up to $1 million for an iOS 9 exploit. The company said only one team won the bounty with a full chain of exploits for a remote and untethered iOS 9.1 and 9.2 jailbreak.

After the announcement that someone hacked iOS 9, Chaouki Bekrar, founder of the controversial security firm Vupen and the man behind Zerodium, said on Twitter that despite the remote jailbreak he still feels safe using his iPhone and pointed out that attacking iOS costs ten times more than Android.

Judging by the money offered by Zerodium for an Android zero-day exploit, it costs only five times more to hack iOS compared to Android — the company is offering up to $100,000 for both Android and Windows Phone remote jailbreaks.

In the case of Adobe Reader, Flash Player and Chrome, the maximum bounty is $80,000 for a remote code execution and sandbox escape combo. Bounty hunters can earn up to $50,000 for virtual machine (VM) escapes, RCE and sandbox escapes in Internet Explorer/Edge and Safari, and an RCE in Flash Player.

RCE exploits for Chrome, IE, Edge, Tor Browser, Firefox and Safari are awarded with up to $30,000. The same amount can be earned for exploits targeting Windows, Mac OS X, Linux, Microsoft Office, and the Windows Reader app.

Experts who manage to hack antiviruses, OpenSSL, PHP, Sendmail, Postfix, Exchange Server and Dovecot can get up to $40,000, the same amount as for an ASLR bypass. The lowest rewards, up to $5,000, are for forum software and content management systems (CMSs).

Advertisement. Scroll to continue reading.

Zerodium claims to provide its services to major defense, technology and finance corporations that need advanced zero-day protection, and government organizations requiring specific and tailored security capabilities.

Zerodium’s premium rewards might be tempting for many bug bounty hunters considering that tech giants such as Google and Microsoft pay far less for similar vulnerabilities. Furthermore, the Mobile Pwn2Own competition, which last year had a prize pool of more than $400,000, this year lost its main sponsor, HP, which cited concerns related to Japan’s implementation of the controversial Wassenaar Arrangement.

The 2015 Mobile Pwn2Own took place as usual alongside the PacSec conference in Tokyo, but there were only a couple participants.

Some of the experts who usually practice responsible disclosure might be tempted to report their findings to companies like Zerodium if high-paying competitions like Pwn2Own lose their sponsors.

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.