Close
  • Latest News
  • Cybersecurity
  • Big Data and Analytics
  • Cloud
  • Mobile
  • Networking
  • Storage
  • Applications
  • IT Management
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Menu
eWEEK.com
Search
eWEEK.com
  • Latest News
  • Cybersecurity
  • Big Data and Analytics
  • Cloud
  • Mobile
  • Networking
  • Storage
  • Applications
  • IT Management
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Cybersecurity
    • Cybersecurity

    Zerodium Paying Up to $500K for Mobile Messaging App Vulnerabilities

    By
    SEAN MICHAEL KERNER
    -
    August 24, 2017
    Share
    Facebook
    Twitter
    Linkedin
      Zerodium

      Zerodium updated its exploit acquisition payout schedule on Aug.23, adding new targets and prices for zero-day exploits. Among the new targets are mobile messaging apps including WhatsApp, iMessage and Signal, for which Zerodium will pay up to $500,000 for a remote code exploit with local privilege escalation zero-day vulnerability.

      Zerodium is an independent, privately held company that launched in July 2015 and is in the business of acquiring zero-day exploits. The company first achieved global notoriety in September 2015 when it offered a $1 million award for an Apple iOS 9 zero-day. A year later in September 2016, Zerodium increased the iOS zero-day award to $1.5 million, which still remains the top award offered by the company for an exploit.

      The new $500,000 payout for mobile messaging vulnerabilities is being driven by demand from Zerodium’s customers that pay for access to the company’s security vulnerability information.

      “Signal, Telegram and other messaging apps are very popular among legitimate users but also among criminals,” Chaouki Bekrar, founder of Zerodium, told eWEEK. “Our government customers are in need of advanced capabilities and zero-day exploits that would allow them to track and monitor terrorists and criminals relying on these apps.”

      In terms of the large $500,000 bounty that Zerodium is offering for the mobile messaging apps, part of the high cost has to do with the difficulty of finding exploitable vulnerabilities on those platforms.

      “The high value for zero-day exploits affecting such apps comes mostly from the smaller attack surface that is available in these apps, compared to other software such as web browsers or file readers, which makes the discovery and exploitation of critical vulnerabilities in these messaging apps very challenging for security researchers,” Bekrar said.

      Messaging apps aren’t the only new mobile targets on Zerodium’s updated payout list. Zerodium will also pay up to $500,000 for remote code execution with local privilege escalation zero-day vulnerabilities on the default email apps bundled with mobile operating systems.

      In addition to the new mobile targets, Zerodium is adding new targets for servers and desktops. Among the payouts is a $30,000 award for a USB code execution vulnerability. USB vulnerabilities and exploits are not uncommon, though what Zerodium is looking for is somewhat more unique.

      “USB tricks are very common, but these are out of scope of our program as we are mainly looking for USB exploits taking advantage of vulnerabilities in the operating system (Windows and Mac),” Bekrar said. “Eligible attacks would be similar to CVE-2010-2568 as used by Stuxnet and co.”

      The CVE-2010-2568 issue was first patched by Microsoft in October 2010, though the Zero Day Initiative (ZDI) revealed in March 2015 that the patch in fact was not complete. As a result, Microsoft released an updated patch for the expanded vulnerability identified as CVE 2015-0096.

      Unlike other organizations that pay a bug bounty and then disclose vulnerabilities to the impacted vendors, Zerodium follows a commercial disclosure policy and reports all acquired vulnerabilities to its own clients. The Zerodium Zero-Day Research Feed is made available to Zerodium clients and includes security information about vulnerabilities as well as recommendations and protective measures.

      “We cannot disclose the total budget and amounts Zerodium is paying to security researchers to acquire their discoveries,” Bekrar said. “However, we can tell you that we are spending millions of dollars every year and are very proud to help talented researchers around the world make decent revenue with their hard work.”

      Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.

      MOST POPULAR ARTICLES

      Android

      Samsung Galaxy XCover Pro: Durability for Tough...

      CHRIS PREIMESBERGER - December 5, 2020 0
      Have you ever dropped your phone, winced and felt the pain as it hit the sidewalk? Either the screen splintered like a windshield being...
      Read more
      Cloud

      Why Data Security Will Face Even Harsher...

      CHRIS PREIMESBERGER - December 1, 2020 0
      Who would know more about details of the hacking process than an actual former career hacker? And who wants to understand all they can...
      Read more
      Cybersecurity

      How Veritas Is Shining a Light Into...

      EWEEK EDITORS - September 25, 2020 0
      Protecting data has always been one of the most important tasks in all of IT, yet as more companies become data companies at the...
      Read more
      Big Data and Analytics

      How NVIDIA A100 Station Brings Data Center...

      ZEUS KERRAVALA - November 18, 2020 0
      There’s little debate that graphics processor unit manufacturer NVIDIA is the de facto standard when it comes to providing silicon to power machine learning...
      Read more
      Apple

      Why iPhone 12 Pro Makes Sense for...

      WAYNE RASH - November 26, 2020 0
      If you’ve been watching the Apple commercials for the past three weeks, you already know what the company thinks will happen if you buy...
      Read more
      eWeek


      Contact Us | About | Sitemap

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Property of TechnologyAdvice.
      Terms of Service | Privacy Notice | Advertise | California - Do Not Sell My Info

      © 2020 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×