Exploit broker Zerodium has announced a month-long bounty program for code that can bypass the new heap isolation mitigation in Flash Player. It said that it will pay up to $100,000 per working zero-day.
Adobe has been working to strengthen Flash Player, a perennially popular target for vulnerability-hunters and hackers alike. Last month, it announced that it had rewritten its memory manager to protect against use-after-free vulnerability exploits.
Zerodium took that as its cue to up the ante, announcing via Twitter: “Adobe added isolated heap to Flash. This month we pay $100K (with sandbox) and $65K (without sandbox) per #exploit bypassing this mitigation.”
Zerodium launched in July 2015 as a new entrant to the ethically grey-scaled world of cyber-arms/defense-dealing. As its name suggests, it specializes in acquiring zero-day exploits. And then selling them off, typically to government intelligence agencies.
The start-up is backed by Vupen, the French vulnerability dealer that has often drawn controversy for brokering exploits to the highest bidder. Though it says it won’t deal with “oppressive governments,” Vupen has been criticized for eschewing the concept of community-minded white-hat research in favor of fueling a kind of cyber-arms race. Also, critics note that delivering advanced capabilities into the hands of governments and others can result in their ending up in the wrong hands—i.e., the Stuxnet effect.
For its part, Zerodium bills itself as an effort “to build a global community of talented and independent security researchers working together to provide the most up-to-date source of cybersecurity research and capabilities.”
This isn’t the first high-profile “wanted poster” for the company. In September, as the iPhone 6S hit the US market, it announced that it would reward $1m to anyone able to crack Apple’s iOS 9 operating system, paying up to three times the full amount for working exploits.
Shrugging off critics who said that outsized bounties merely fuel the incentives for cyber-criminals, Zerodium said that it simply aims to proportionately reward researchers for their time and effort: “Apple iOS, like all operating systems, is often affected by critical security vulnerabilities. However, due to the increasing number of security improvements and the effectiveness of exploit mitigations in place, Apple’s iOS is currently the most secure mobile OS,” the company said at the time. “But don’t be fooled, secure does not mean unbreakable, it just means that iOS has currently the highest cost and complexity of vulnerability exploitation and here’s where the Million Dollar iOS 9 Bug Bounty comes into play.”
Photo © 360b/Shutterstock.com