Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Zerodium Publishes Prices for Zero-Day Exploits

Exploit acquisition firm Zerodium is apparently trying to attract bug bounty hunters by making public the amounts of money it’s prepared to award for various vulnerabilities in popular software.

Exploit acquisition firm Zerodium is apparently trying to attract bug bounty hunters by making public the amounts of money it’s prepared to award for various vulnerabilities in popular software.

The highest payout, up to $500,000, can be earned for a high quality zero-day exploit targeting Apple iOS. From September 21 through October 31, Zerodium ran a special bug bounty program offering up to $1 million for an iOS 9 exploit. The company said only one team won the bounty with a full chain of exploits for a remote and untethered iOS 9.1 and 9.2 jailbreak.

After the announcement that someone hacked iOS 9, Chaouki Bekrar, founder of the controversial security firm Vupen and the man behind Zerodium, said on Twitter that despite the remote jailbreak he still feels safe using his iPhone and pointed out that attacking iOS costs ten times more than Android.

Judging by the money offered by Zerodium for an Android zero-day exploit, it costs only five times more to hack iOS compared to Android — the company is offering up to $100,000 for both Android and Windows Phone remote jailbreaks.

In the case of Adobe Reader, Flash Player and Chrome, the maximum bounty is $80,000 for a remote code execution and sandbox escape combo. Bounty hunters can earn up to $50,000 for virtual machine (VM) escapes, RCE and sandbox escapes in Internet Explorer/Edge and Safari, and an RCE in Flash Player.

RCE exploits for Chrome, IE, Edge, Tor Browser, Firefox and Safari are awarded with up to $30,000. The same amount can be earned for exploits targeting Windows, Mac OS X, Linux, Microsoft Office, and the Windows Reader app.

Experts who manage to hack antiviruses, OpenSSL, PHP, Sendmail, Postfix, Exchange Server and Dovecot can get up to $40,000, the same amount as for an ASLR bypass. The lowest rewards, up to $5,000, are for forum software and content management systems (CMSs).

Zerodium claims to provide its services to major defense, technology and finance corporations that need advanced zero-day protection, and government organizations requiring specific and tailored security capabilities.

Advertisement. Scroll to continue reading.

Zerodium’s premium rewards might be tempting for many bug bounty hunters considering that tech giants such as Google and Microsoft pay far less for similar vulnerabilities. Furthermore, the Mobile Pwn2Own competition, which last year had a prize pool of more than $400,000, this year lost its main sponsor, HP, which cited concerns related to Japan’s implementation of the controversial Wassenaar Arrangement.

The 2015 Mobile Pwn2Own took place as usual alongside the PacSec conference in Tokyo, but there were only a couple participants.

Some of the experts who usually practice responsible disclosure might be tempted to report their findings to companies like Zerodium if high-paying competitions like Pwn2Own lose their sponsors.

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this event as we dive into threat hunting tools and frameworks, and explore value of threat intelligence data in the defender’s security stack.

Register

Learn how integrating BAS and Automated Penetration Testing empowers security teams to quickly identify and validate threats, enabling prompt response and remediation.

Register

People on the Move

Threat intelligence firm Team Cymru has appointed Joe Sander as its Chief Executive Officer.

Madhu Gottumukkala has been named Deputy Director of the cybersecurity agency CISA.

Wendi Whitmore has taken the role of Chief Security Intelligence Officer at Palo Alto Networks.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.