Zerodium updated its exploit acquisition payout schedule on Aug.23, adding new targets and prices for zero-day exploits. Among the new targets are mobile messaging apps including WhatsApp, iMessage and Signal, for which Zerodium will pay up to $500,000 for a remote code exploit with local privilege escalation zero-day vulnerability.
Zerodium is an independent, privately held company that launched in July 2015 and is in the business of acquiring zero-day exploits. The company first achieved global notoriety in September 2015 when it offered a $1 million award for an Apple iOS 9 zero-day. A year later in September 2016, Zerodium increased the iOS zero-day award to $1.5 million, which still remains the top award offered by the company for an exploit.
The new $500,000 payout for mobile messaging vulnerabilities is being driven by demand from Zerodium’s customers that pay for access to the company’s security vulnerability information.
“Signal, Telegram and other messaging apps are very popular among legitimate users but also among criminals,” Chaouki Bekrar, founder of Zerodium, told eWEEK. “Our government customers are in need of advanced capabilities and zero-day exploits that would allow them to track and monitor terrorists and criminals relying on these apps.”
In terms of the large $500,000 bounty that Zerodium is offering for the mobile messaging apps, part of the high cost has to do with the difficulty of finding exploitable vulnerabilities on those platforms.
“The high value for zero-day exploits affecting such apps comes mostly from the smaller attack surface that is available in these apps, compared to other software such as web browsers or file readers, which makes the discovery and exploitation of critical vulnerabilities in these messaging apps very challenging for security researchers,” Bekrar said.
Messaging apps aren’t the only new mobile targets on Zerodium’s updated payout list. Zerodium will also pay up to $500,000 for remote code execution with local privilege escalation zero-day vulnerabilities on the default email apps bundled with mobile operating systems.
In addition to the new mobile targets, Zerodium is adding new targets for servers and desktops. Among the payouts is a $30,000 award for a USB code execution vulnerability. USB vulnerabilities and exploits are not uncommon, though what Zerodium is looking for is somewhat more unique.
“USB tricks are very common, but these are out of scope of our program as we are mainly looking for USB exploits taking advantage of vulnerabilities in the operating system (Windows and Mac),” Bekrar said. “Eligible attacks would be similar to CVE-2010-2568 as used by Stuxnet and co.”
The CVE-2010-2568 issue was first patched by Microsoft in October 2010, though the Zero Day Initiative (ZDI) revealed in March 2015 that the patch in fact was not complete. As a result, Microsoft released an updated patch for the expanded vulnerability identified as CVE 2015-0096.
Unlike other organizations that pay a bug bounty and then disclose vulnerabilities to the impacted vendors, Zerodium follows a commercial disclosure policy and reports all acquired vulnerabilities to its own clients. The Zerodium Zero-Day Research Feed is made available to Zerodium clients and includes security information about vulnerabilities as well as recommendations and protective measures.
“We cannot disclose the total budget and amounts Zerodium is paying to security researchers to acquire their discoveries,” Bekrar said. “However, we can tell you that we are spending millions of dollars every year and are very proud to help talented researchers around the world make decent revenue with their hard work.”
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.