Zerodium Publishes Prices for Zero-Day Exploits

Exploit acquisition firm Zerodium is apparently trying to attract bug bounty hunters by making public the amounts of money it’s prepared to award for various vulnerabilities in popular software.

The highest payout, up to $500,000, can be earned for a high quality zero-day exploit targeting Apple iOS. From September 21 through October 31, Zerodium ran a special bug bounty program offering up to $1 million for an iOS 9 exploit. The company said only one team won the bounty with a full chain of exploits for a remote and untethered iOS 9.1 and 9.2 jailbreak.

After the announcement that someone hacked iOS 9, Chaouki Bekrar, founder of the controversial security firm Vupen and the man behind Zerodium, said on Twitter that despite the remote jailbreak he still feels safe using his iPhone and pointed out that attacking iOS costs ten times more than Android.

Judging by the money offered by Zerodium for an Android zero-day exploit, it costs only five times more to hack iOS compared to Android — the company is offering up to $100,000 for both Android and Windows Phone remote jailbreaks.

In the case of Adobe Reader, Flash Player and Chrome, the maximum bounty is $80,000 for a remote code execution and sandbox escape combo. Bounty hunters can earn up to $50,000 for virtual machine (VM) escapes, RCE and sandbox escapes in Internet Explorer/Edge and Safari, and an RCE in Flash Player.

RCE exploits for Chrome, IE, Edge, Tor Browser, Firefox and Safari are awarded with up to $30,000. The same amount can be earned for exploits targeting Windows, Mac OS X, Linux, Microsoft Office, and the Windows Reader app.

Experts who manage to hack antiviruses, OpenSSL, PHP, Sendmail, Postfix, Exchange Server and Dovecot can get up to $40,000, the same amount as for an ASLR bypass. The lowest rewards, up to $5,000, are for forum software and content management systems (CMSs).

Zerodium claims to provide its services to major defense, technology and finance corporations that need advanced zero-day protection, and government organizations requiring specific and tailored security capabilities.

Zerodium’s premium rewards might be tempting for many bug bounty hunters considering that tech giants such as Google and Microsoft pay far less for similar vulnerabilities. Furthermore, the Mobile Pwn2Own competition, which last year had a prize pool of more than $400,000, this year lost its main sponsor, HP, which cited concerns related to Japan’s implementation of the controversial Wassenaar Arrangement.

The 2015 Mobile Pwn2Own took place as usual alongside the PacSec conference in Tokyo, but there were only a couple participants.

Some of the experts who usually practice responsible disclosure might be tempted to report their findings to companies like Zerodium if high-paying competitions like Pwn2Own lose their sponsors.