Zerodium, which operates in the controversial exploit-brokering realm, is offering $500,000 per working exploit for code that can compromise secure messaging apps on mobile phones.
The company has released updated mobile pricing reflecting the addition of the category, which said that it’s looking for fully weaponized zero-days allowing remote code execution and local privilege elevation for WhatsApp, Signal, Facebook Messenger, iMessage, Telegram and others.
Zerodium founder Chaouki Bekrar told Kasperky Labs’ Threatpost that “The high value of zero-day exploits for such apps comes from both a high demand by customers and a small attack surface in these apps which makes the discovery and exploitation of critical bugs very challenging for security researchers.”
The start-up launched in 2015 backed by Vupen (where Bekrar was a cofounder), the French vulnerability dealer that has often drawn controversy for brokering exploits to the highest bidder. Though it says it won’t deal with “oppressive governments,” Vupen has been criticized for eschewing the concept of community-minded white-hat research in favor of fueling a kind of cyber-arms race by delivering advanced capabilities into the hands of governments and others that can end up in the wrong hands—i.e., the Stuxnet effect.
For its part, Zerodium bills itself as an effort “to build a global community of talented and independent security researchers working together to provide the most up-to-date source of cybersecurity research and capabilities.”
It also stresses that it has been founded by cybersecurity veterans with “unparalleled experience in advanced vulnerability research and exploitation,” and that it essentially functions like a third-party bug bounty program, rewarding independent researchers for their zero-day discoveries. From there, it will analyze, document and report the findings to its clients (organizations and governments), “along with protective measures and security recommendations.”
It does not, however, share the vulnerabilities with the affected vendors.
Zerodium also made a few other changes to its payout list: It is now offering $300,000 for Windows 10 remote code execution zero-days that target SMB or RDP; while Tor remote execution exploits on Linux are worth $100,000 and $80,000 on Windows. Apache on Linux and Microsoft IIS remote code execution attacks will now fetch $150,000, and Microsoft Outlook remote code execution zero-days have been bumped up to $100,000. Mozilla Thunderbird remote code executions and VMware ESXi guest-to-host escapes command $80,000.