Zerodium Offers Millions for Tor Browser Exploits
Zerodium, a company founded in 2015 by Chaouki Bekrar—one of the creators of Vupen—is one of the most well-known vulnerability brokers on the market. While Vupen primarily focused on developing its own exploits (an exploit is a computer program, code fragment, or sequence of commands that takes advantage of software vulnerabilities to carry out an attack on a computing system), Zerodium not only has its own team of developers but also purchases exploits and vulnerabilities from third parties.
On September 13, 2017, Zerodium announced a new, temporary bug bounty program. The program will run until November 30, 2017 (or end earlier if the company spends all the allocated funds), with a budget of $1,000,000.
Zerodium is ready to generously reward specialists who discover 0-day vulnerabilities in the Tor Browser for Tails Linux and Windows, and who provide working exploits for them. For example, for an RCE+LPE exploit for both operating systems that works even when JavaScript is disabled, the company is willing to pay $250,000. A more detailed “price list” from Zerodium can be seen in the table below.
“We need a lot of exploits, and we have many clients who are currently conducting operations to combat illegal activity on Tor. We have stricter requirements for Tor exploits for our government clients, as they are dealing with egregious cases of illegal activity on Tor and need to act,” Chaouki Bekrar told Vice Motherboard. The official announcement also mentions drug trafficking and child abuse as issues that the company’s important clients are allegedly fighting against.
Representatives of the Tor ProjectThe Tor Project is a nonprofit organization dedicated to protecting online privacy and ensuring uncensored access to the internet. Emerging from U.S. Naval Research Lab experiments with onion routing in the 1990s, Tor evolved into a decentralized, volunteer-powered network that hides user identities by routing traffic through multiple encrypted relays. Since the launch of the Tor Browser in 2008, it has become a crucial tool for activists, journalists, and everyday users worldwide—supporting free expression during events like the Arab Spring and proving resilient in the face of mass surveillance disclosures. Today, Tor is sustained by a global community committed to human rights, transparency, and digital freedom. More responded to Zerodium’s announcement fairly calmly. One of the browser’s developers told journalists that “the size of the rewards is a testament to the security we provide.” However, the developer emphasized that it is still better to “sell” vulnerabilities directly to the Tor ProjectThe Tor Project is a nonprofit organization dedicated to protecting online privacy and ensuring uncensored access to the internet. Emerging from U.S. Naval Research Lab experiments with onion routing in the 1990s, Tor evolved into a decentralized, volunteer-powered network that hides user identities by routing traffic through multiple encrypted relays. Since the launch of the Tor Browser in 2008, it has become a crucial tool for activists, journalists, and everyday users worldwide—supporting free expression during events like the Arab Spring and proving resilient in the face of mass surveillance disclosures. Today, Tor is sustained by a global community committed to human rights, transparency, and digital freedom. More, which also has its own bug bounty program. “This is in the best interests of all Tor users, including government agencies,” the Tor ProjectThe Tor Project is a nonprofit organization dedicated to protecting online privacy and ensuring uncensored access to the internet. Emerging from U.S. Naval Research Lab experiments with onion routing in the 1990s, Tor evolved into a decentralized, volunteer-powered network that hides user identities by routing traffic through multiple encrypted relays. Since the launch of the Tor Browser in 2008, it has become a crucial tool for activists, journalists, and everyday users worldwide—supporting free expression during events like the Arab Spring and proving resilient in the face of mass surveillance disclosures. Today, Tor is sustained by a global community committed to human rights, transparency, and digital freedom. More notes, but does not comment on the fact that its official bug bounty initiative offers researchers only $4,000 as a reward.