'

Zerodium offers $45,000 for Linux zero-day vulnerabilities

The private exploit seller is expanding its reach to acquire bugs in popular Linux builds.

screen-shot-2018-02-09-at-08-51-02.jpg
Christoph Scholz

Zerodium is offering $45,000 to hackers willing to privately report zero-day vulnerabilities in the Linux operating system.

On Thursday, the private exploit acquisition program announced the new addition to its bounties on Twitter. Until 31 March, Zerodium is willing to offer increased payouts of up to $45,000 for local privilege escalation (LPE) exploits.

The zero-day, unreported vulnerabilities, should work with default installations of Linux such as the popular Ubuntu, Debian, CentOS, Red Hat Enterprise Linux (RHEL), and Fedora builds.

Zerodium differs from many companies out there seeking outside help to discover vulnerabilities. While many technology vendors including Google, Apple, and Microsoft often offer financial rewards for valid bug reports, these reports are then used to patch software and protect user devices from compromise.

However, Washington, D.C-based Zerodium is a private seller.

The company buys up vulnerabilities across a wide range of target devices and operating systems -- such as Microsoft Windows, Google Chrome, Android, Apple OS X, and various email servers -- in order to privately sell this information to clients; individually, or through the firm's zero-day research feed.

Customers may include government agencies that require exploits for purposes including breaking device encryption or conducting covert surveillance.

Depending on market demand, the exploit seller has offered bounties reaching over a million dollars in the past. In 2015, the company offered $1.5 million for working iOS 10 exploits.

Over the past year, governments have called for bans or mandatory backdoors in encrypted apps and end-to-end encryption services. Considering this shift in government priorities, Zerodium increased reward payouts in 2017 up to $500,000 for zero-day flaws in encrypted apps, such as iMessage, Telegram, and WhatsApp.

The boost in price for Linux vulnerabilities suggests there may be a high demand in the market at the present time.

Zerodium usually offers up to $30,000 for a Linux zero-day vulnerability, but in order to ramp up submissions, this has now increased by $15,000 until the deadline.

In September, Zerodium lured researchers with a $1 million payouts for working exploits against the anonymizing Tor Browser.

See also: Bug bounties: 'Buy what you want'

In related news this week, Google revealed that researchers participating in the firm's bug bounty program earned themselves $2.9 million in rewards in 2017. Since 2010, the tech giant has paid out close to $12 million.

Previous and related coverage