Zerodium, a vendor operating in the nebulous exploit acquisition market, has put a premium on zero-day vulnerabilities in secure messaging applications in a new pricing structure announced today.
Remote code execution and local privilege elevation zero days in messaging apps such as WhatsApp, Signal, Facebook Messenger, iMessage, Telegram and others can fetch $500,000 from the company’s program.
Secure messaging apps have been a controversial focal point between law enforcement, governments and privacy-focused users and advocates. The issue crested last year with the FBI’s insistence that Apple help circumvent a terrorist’s iPhone, with the case eventually being dropped in court after the FBI procured a means of unlocking the phone without Apple’s intervention.
Zerodium, founded by former VUPEN cofounder Chaouki Bekrar, buys zero days and makes them available in a feed of exploits and defensive capabilities to its customers. The attacks and vulnerabilities are not shared with the affected vendor, therefore remain unpatched–obviously not the preferred outcome for software companies. Bekrar, meanwhile, has always maintained that Zerodium and VUPEN before it sell only to democratic and non-sanctioned governments.
Today’s pricing changes focused mainly on mobile. The company is also offering a half-million dollar payout for remote code execution and local privilege escalation (LPE) bugs in default mobile email applications, $150,000 for baseband and media file or document RCE and LPE attacks, $100,000 for sandbox escapes, code-signing bypasses, kernel LPE, Wi-Fi RCE and LPE, and SS7 attacks.
Bekrar told Threatpost that Zerodium’s government customers are in need of advanced capabilities and zero-day exploits that allow them to track criminals using these secure mobile apps.
“The high value of zero-day exploits for such apps comes from both a high demand by customers and a small attack surface in these apps which makes the discovery and exploitation of critical bugs very challenging for security researchers,” Bekrar said.
Requests for comment from Signal creator Moxie Marlinspike, as well as from WhatsApp and Facebook were not returned in time for publication.
Zerodium also announced that it would offer $300,000 for Windows 10 remote code execution zero days, specifically remote exploits targeting default Windows services such as SMB or RDP. Web server zero days, specifically Apache on Linux and Microsoft IIS remote code execution attacks, are now worth $150,000, while a Microsoft Outlook RCE is worth $100,000. Mozilla Thunderbird RCE and VMware ESXi guest-to-host escapes are both worth $80,000.
Zerodium also doubled—or nearly doubled—payouts for Chrome, PHP and OpenSSL attacks, while Tor RCEs on Linux and Windows climbed from $30,000 to $100,000 and $80,000 respectively.
Nearly a year ago, Zerodium tripled the bounty it offers for an Apple iOS 10 remote jailbreak to $1.5 million, after previously offering $1 million for iOS 9 zero days.