Zerodium, a vendor operating in the nebulous exploit acquisition market, has put a premium on zero-day vulnerabilities in secure messaging applications in anew pricing structure
Remote code execution and local privilege elevation zero days in messaging apps such as WhatsApp, Signal, Facebook Messenger, iMessage, Telegram and others can fetch $500,000 from the company’s program.
August 9, 2017 , 2:47 pm
July 27, 2017 , 10:00 am
July 26, 2017 , 2:33 pm
Secure messaging apps have been a controversial focal point between law enforcement, governments and privacy-focused users and advocates. The issue crested last year with the FBI’s insistence that Apple help circumvent a terrorist’s iPhone, with the case eventually being dropped in court after the FBI procured a means of unlocking the phone without Apple’s intervention.
Zerodium, founded by former VUPEN cofounder Chaouki Bekrar, buys zero days and makes them available in a feed of exploits and defensive capabilities to its customers. The attacks and vulnerabilities are not shared with the affected vendor, therefore remain unpatched–obviously not the preferred outcome for software companies. Bekrar, meanwhile, has always maintained that Zerodium and VUPEN before it sell only to democratic and non-sanctioned governments.
Today’s pricing changes focused mainly on mobile. The company is also offering a half-million dollar payout for remote code execution and local privilege escalation (LPE) bugs in default mobile email applications, $150,000 for baseband and media file or document RCE and LPE attacks, $100,000 for sandbox escapes, code-signing bypasses, kernel LPE, Wi-Fi RCE and LPE, and SS7 attacks.
Bekrar told Threatpost that Zerodium’s
government customers are in need of advanced capabilities and zero-day exploits that allow them to track criminals using these secure mobile apps.
“The high value of zero-day exploits for such apps comes from both a high demand by customers and a small attack surface in these apps which makes the discovery and exploitation of critical bugs very challenging for security researchers,” Bekrar said.
Requests for comment from Signal creator Moxie Marlinspike, as well as from WhatsApp and Facebook were not returned in time for publication.
Zerodium also announced that it would offer $300,000 for Windows 10 remote code execution zero days, specifically remote exploits targeting default Windows services such as SMB or RDP. Web server zero days, specifically Apache on Linux and Microsoft IIS remote code execution attacks, are now worth $150,000, while a Microsoft Outlook RCE is worth $100,000. Mozilla Thunderbird RCE and VMware ESXi guest-to-host escapes are both worth $80,000.
Zerodium also doubled—or nearly doubled—payouts for Chrome, PHP and OpenSSL attacks, while Tor RCEs on Linux and Windows climbed from $30,000 to $100,000 and $80,000 respectively.
Nearly a year ago, Zerodium tripled the bounty it offers for an Apple iOS 10 remote jailbreak to $1.5 million, after previously offering $1 million for iOS 9 zero days.
Zerodium’s payout for other new exploit categories for servers and desktop computers include:
- Up to $300,000 for a Windows 10 exploit that requires no user interaction
- Up to $150,000 for Apache Web Server
- Up to $100,000 for Microsoft Outlook
- Up to $80,000 for Mozilla Thunderbird
- Up to $80,000 for VMware escapes
- Up to $30,000 for USB code execution
Zerodium has also raised the prices the company will pay for a range of other exploits, which include:
- Chrome RCE and LPE for Windows—from $80,000 to $150,000
- PHP Web programming language RCE—from $50,000 to $100,000
- RCE in OpenSSL crypto library used to implement TLS—from $50,000 to $100,000
- Microsoft Exchange Server RCE—from $40,000 to $100,000
- RCE and LPE in the TOR version of Firefox for Linux—from $30,000 to $100,000
- RCE and LPE in the TOR version of Firefox for Windows—from $30,000 to $80,000
The zero-day market has long been a lucrative business for private firms that regularly offer more payouts for undisclosed security vulnerabilities than big technology companies.