The premium exploit seller is particularly keen to get its hands on unknown vulnerabilities which can be used to exploit popular messaging apps, such as iMessage, Telegram, WhatsApp, Signal, Facebook, Viber, and WeChat, alongside traditional SMS/MMS messaging.
To this end, Zerodium is dangling a financial carrot worth up to $500,000 for each working zero-day exploit.
"Zerodium pays premium bounties and rewards to security researchers to acquire their original and previously unreported zero-day research affecting major operating systems, software, and devices," the company says. "While the majority of existing bug bounty programs accept almost any kind of vulnerabilities and PoCs but pay very low rewards, at Zerodium we focus on high-risk vulnerabilities with fully functional exploits, and we pay the highest rewards on the market."
The changes focus mainly on mobile applications. Together with the messaging app rewards, $500,000 is also on offer for zero-days impacting a range of email applications, whether they be local privilege escalation flaws (LPEs) or remote code execution (RCE).
In addition, $150,000 is on offer for exploits impacting baseband frequencies, media files and documents, and the company also wants to hear about sandbox escapes, code signing bypass, and other mobile exploits.
Apple vulnerabilities are still in high demand, it seems. Close to a year ago, the exploit seller tripled its reward for Apple iOS 10 RCEs, and Zerodium is still offering $1.5 million for remote jailbreaks and persistence without user interaction.
The company also is willing to pay up to $1 million for an iOS jailbreak which needs user interaction, such as clicking a malicious link or file.
Zerodium has also expanded its exploit acquisition program with a set of new entries for servers and desktops. In total, up to $300,000 is on offer for zero-day flaws in this field depending on the system. Windows 10 RCEs are the most valuable, but zero-days for Apache Web Server on Linux, Microsoft Outlook, Mozilla Thunderbird, and VMware ESXi, among others, are also sought after.
In addition, the company has bumped up payments for Google Chrome RCEs from $80,000 to $150,000.
The private exploit sales market is nebulous at best. As a seller, you can never be sure where the vulnerability will end up -- or how it will be used. If researchers report their vulnerabilities directly to a vendor, they can rest assured that -- eventually, at least in most cases -- the vulnerability will be fixed, protecting their own device or software as well as others.
Tech vendors do not compete with either the black market or private exploit sellers when it comes to price, but rather leverage the idea that researchers actually want to do some good and protect systems from exploit.
If privately-sold exploits are sold on, however, researcher control over a discovery vanishes, too. The financial reward may be far higher, but the exploit in question could end up in the hands of other private companies, law enforcement, or less-than-respectable government programs dedicated to public surveillance.
As an example, when Apple refused to assist law enforcement in breaking a suspect's iPhone, the FBI then paid a private company for an exploit which worked on that particular model. A lawsuit brought against Apple in an attempt to force the firm's cooperation was then dropped.
Speaking to Threatpost, Zerodium founder Chaouki Bekrar said the company's government customers are in need of zero-day exploits which enable them to monitor criminals using secure messaging applications.
"The high value of zero-day exploits for such apps comes from both a high demand by customers and a small attack surface in these apps which makes the discovery and exploitation of critical bugs very challenging for security researchers," Bekrar said.