Zerodium Offering $1M for Tor Browser Zero Days

Exploit acquisition vendor Zerodium said Wednesday it will pay up to $1M for an unknown Tor Browser zero day.

The exploit acquisition vendor Zerodium is doubling down again.

Weeks after the company said it would pay $500,000 for zero days in private messaging apps such as Signal and WhatsApp, Zerodium said Wednesday it will pay twice that for a zero day in Tor Browser.

The company said it will pay up to $1 million for fully functional, unknown zero day exploits for Tor Browser on Tails Linux and Windows. Specifically, the company said it will pay $250,000 for combined remote code execution and local privilege escalation bugs that work on both Tails and Windows to root/system, or $200,000 for combined bugs in Tails or Windows. It will pay an abbreviated bounty for just RCE vulnerabilities, and vulnerabilities executed when JavaScript is allowed.

The company said that any exploits that require manipulating of Tor nodes, or exploits that would disrupt the network itself won’t be accepted. Submissions must include the full, unknown and previously unpublished, exploit, alongside a whitepaper explaining the techniques. Zerodium says an attack vector has to be a web page targeting the latest version of the browser, either in its default configuration where JavaScript is allowed to run with its security settings set to low, or in a hardened configuration where JavaScript is blocked.

Like it did when it announced the messaging app bounties, Zerodium says the Tor bounty is designed to help its government customers track criminals who use the anonymous browser.

When reached on Wednesday, a Tor Project spokesperson said the high payout was a good example of the security the browser provides. But, he also suggested participating in Zerodium’s bug bounty program could put Tor users’ lives at stake.

“We think the amount of the bounty is a testament to the security we provide. We think it’s in the best interest of all Tor users, including government agencies, for any vulnerabilities to be disclosed to us through our own bug bounty. Over 1.5 million people rely on Tor everyday to protect their privacy online, and for some it’s life or death. Participating in Zerodium’s program would put our most at-risk users’ lives at stake.”

Zerodium, launched in 2015 by VUPEN cofounder Chaouki Bekrar, has made a name for itself by offering lofty payouts for high-risk zero-day exploits. Shortly after it was founded the company offered a million-dollar bounty centered on iOS 9. It then one upped itself by offering a $1.5 million bounty for information pertaining to an iOS 10 remote jailbreak around this time last year.

The company in August said that a spike in demands from its customers, democratic and non-sanctioned governments, combined with the small attack surface of private messaging apps, led to a change in bounty pricing. Zerodium said Wednesday the fact the Tor Browser is used in “many cases” by attackers to carry out drug trafficking and child abuse has helped contributed to demand for zero days.

When reached Wednesday, Bekrar said that previous Tor zero days, notably those used in 2013 and 2016, didn’t threaten the lives of any users.

“All known Tor Browsers exploits that have been used by Gov agencies in the past (2013 & 2016) didn’t threaten life of ANY legitimate user,”,” Bekrar said, Those exploits were all used against pedophiles & drug traffickers, and Tor Project should stop defending these people.”

Unlike the private messaging app bounty, which is ongoing, the company’s Tor Browser exploit bounty is limited. Zerodium said the Tor bounty is open until November 30 at 6 p.m., or until the payout reaches $1 million, but hat the company will still entertain exploits after the fact.

“As we’ve set the prices very high, we had to limit this in time,” Bekrar said, “After the deadline, we will still acquire such exploits as part of our usual program and prices.”

*This article was updated at 10 a.m. Sept 14 with comments from Chaouki Bekrar

Suggested articles