Zerodium lures researchers with $1 million payout for Tor Browser flaws

The new bug bounty program only wants functional zero-day exploits.
Written by Charlie Osborne, Contributing Writer

Zerodium has launched a new scheme to snap up zero-day vulnerabilities impacting the Tor Browser.

The private exploit seller has promised rewards of up to $1 million dollars for valid, previously-unknown security vulnerabilities for Tor Browser on Tails Linux and Windows.

The bug bounty has a time limit, however, and valid bugs must be submitted by Nov. 30, 2017.

If the company achieves what it wants and payouts reach the one million mark, then the program may be closed earlier.


"With the increased number (and effectiveness) of exploit mitigations on modern systems, exploiting browser vulnerabilities is becoming harder every day, but still, motivated researchers are always able to develop new browser exploits despite the complexity of the task, thanks to their skills and a bit of scripting languages such as JavaScript," Zerodium said on Wednesday.

The Tor Browser is used by the general public, activists, journalists, and those seeking to circumvent censorship barriers in some countries.

Users know that disabling JavaScript is highly recommended, as the software is being constantly updated with patches to resolve bugs, and you cannot be sure that JavaScript will not provide an avenue for exploit.

With this in mind, Zerodium insists that vulnerabilities reported to the company must work with JavaScript blocked for the high rewards. There are some circumstances where vulnerabilities developed with a JavaScript-functional Tor session will be considered for a payout, however.

The rewards are laid out below:


"The research must rely on exclusive, unknown, unpublished, and unreported zero-days, and must bypass all exploit mitigations applicable to each target category," Zerodium said. "The initial attack vector must be a web page targeting the latest versions of Tor Browser (Stable + Experimental) in either a non-default/hardened configuration where JavaScript is blocked for all websites (Tor Browser Security Settings set to: High), or in its default configuration (Tor Browser Security Settings set to: Low (default))."

The company does not want any exploit "requiring control or manipulation of Tor nodes, or exploits/attacks that would cause disruption of the Tor network."

Read also: Samsung launches bug bounty program for mobile devices | Equifax confirms Apache Struts security flaw it failed to patch is to blame for hack | AppGuard secures $30 million in Series B funding

Remote code execution must be possible through the zero-day exploit, and no user interaction should take place except visiting a web page -- although the exploit seller is interested in other attack vectors, such as opening a document, outside of the bug bounty program.

As you may expect, Zerodium expects the report to be made exclusively for them, to be sold onwards.

The Tor Browser is used by many as a legitimate way to mask their online activities, but the seller said their "government" customers need such attacks to thwart "ugly people" who conduct activities including "drug trafficking or child abuse."

"We have launched this special bounty for Tor Browser zero-days to help our government customers fight crime and make the world a better and safer place for all," the firm said.

Researchers and bug bounty hunters happy to sell off their findings for high financial rewards will be up against it, however. In July, the nonprofit launched its own bug bounty program to prevent the identity of Tor users being unmasked.


The 10 step guide to using Tor to protect your privacy

Editorial standards