Zerodium Offers Millions for Tor Browser Exploits
Zerodium, a company founded in 2015 by Chaouki Bekrar—one of the creators of Vupen—is one of the most well-known vulnerability brokers on the market. While Vupen primarily focused on developing its own exploits (an exploit is a computer program, code fragment, or sequence of commands that takes advantage of software vulnerabilities to carry out an attack on a computing system), Zerodium not only has its own team of developers but also purchases exploits and vulnerabilities from third parties.
On September 13, 2017, Zerodium announced a new, temporary bug bounty program. The program will run until November 30, 2017 (or end earlier if the company spends all the allocated funds), with a budget of $1,000,000.
Zerodium is ready to generously reward specialists who discover 0-day vulnerabilities in the Tor Browser for Tails Linux and Windows, and who provide working exploits for them. For example, for an RCE+LPE exploit for both operating systems that works even when JavaScript is disabled, the company is willing to pay $250,000. A more detailed “price list” from Zerodium can be seen in the table below.
“We need a lot of exploits, and we have many clients who are currently conducting operations to combat illegal activity on Tor. We have stricter requirements for Tor exploits for our government clients, as they are dealing with egregious cases of illegal activity on Tor and need to act,” Chaouki Bekrar told Vice Motherboard. The official announcement also mentions drug trafficking and child abuse as issues that the company’s important clients are allegedly fighting against.
Representatives of the Tor Project responded to Zerodium’s announcement fairly calmly. One of the browser’s developers told journalists that “the size of the rewards is a testament to the security we provide.” However, the developer emphasized that it is still better to “sell” vulnerabilities directly to the Tor Project, which also has its own bug bounty program. “This is in the best interests of all Tor users, including government agencies,” the Tor Project notes, but does not comment on the fact that its official bug bounty initiative offers researchers only $4,000 as a reward.