Zerodium Raises Zero-Day Payout Ceiling to $2M

Apple exploits will fetch the highest price.

Exploit acquisition vendor Zerodium said Monday that it is upping its payouts for full, working exploits across its entire program. It’s now paying $2 million for remote iOS jailbreaks, $1 million for WhatsApp/iMessage/SMS/MMS remote code-execution (RCE) and a half-million for Google Chrome RCEs.

The move means that payouts for eligible zero-day exploits range from $2,000 to $2 million per submission – with even higher payouts available for “exceptional exploits and research,” it said on its website.

zerodium zero-day

The amount awarded depends on the affected software/system, as well as the quality of the submitted exploit (i.e., is it a full or partial chain, does it affect current versions, reliability, bypassed exploit mitigations and so on). The research must be original and previously unreported.

Zerodium, launched in 2015 by VUPEN cofounder Chaouki Bekrar, is known for offering lofty payouts for high-risk zero-day exploits. Shortly after it was founded, the company offered a million-dollar bounty for iOS 9 exploits. It then one upped itself in 2016 by offering a $1.5 million bounty for an iOS 10 remote jailbreak. In 2017, it debuted payouts for private messaging apps such as Signal and WhatsApp, and it said that it will pay up to $1 million for zero-day exploits for Tor Browser on Tails Linux and Windows.

As a vulnerability dealer, Zerodium has not been without controversy for brokering exploits that could end up in the wrong hands. Yet it bills itself as an effort “to build a global community of talented and independent security researchers working together to provide the most up-to-date source of cybersecurity research and capabilities.”

It also says that it “analyzes, documents and reports the findings to its clients,” (a small set of organizations and governments), “along with protective measures and security recommendations.”

Suggested articles

Discussion

Leave A Comment

 

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.