Zerodium has launched a new scheme to snap up zero-day vulnerabilities impacting the Tor Browser.
The private exploit seller has promised rewards of up to $1 million dollars for valid, previously-unknown security vulnerabilities for Tor Browser on Tails Linux and Windows.
The bug bounty has a time limit, however, and valid bugs must be submitted by Nov. 30, 2017.
If the company achieves what it wants and payouts reach the one million mark, then the program may be closed earlier.
The Tor Browser is used by the general public, activists, journalists, and those seeking to circumvent censorship barriers in some countries.
The rewards are laid out below:
The company does not want any exploit "requiring control or manipulation of Tor nodes, or exploits/attacks that would cause disruption of the Tor network."
Remote code execution must be possible through the zero-day exploit, and no user interaction should take place except visiting a web page -- although the exploit seller is interested in other attack vectors, such as opening a document, outside of the bug bounty program.
As you may expect, Zerodium expects the report to be made exclusively for them, to be sold onwards.
The Tor Browser is used by many as a legitimate way to mask their online activities, but the seller said their "government" customers need such attacks to thwart "ugly people" who conduct activities including "drug trafficking or child abuse."
"We have launched this special bounty for Tor Browser zero-days to help our government customers fight crime and make the world a better and safer place for all," the firm said.
Researchers and bug bounty hunters happy to sell off their findings for high financial rewards will be up against it, however. In July, the nonprofit launched its own bug bounty program to prevent the identity of Tor users being unmasked.