Zerodium is increasing its efforts to acquire zero-day vulnerabilities in popular software for private sale by increasing the financial rewards on offer.
The private exploit seller, a privately-held startup launched in 2015, acquires zero-day vulnerabilities and exploit chains in order to sell them on to customers -- which may include corporations, law enforcement, and government entities.
The market for vulnerabilities is massive. It is not only cyberattackers in the underground which obtain and use bugs for their own purposes; law enforcement in the US has previously paid researchers in the past to find bugs and break into iPhones during criminal investigations, and government officials worldwide are constantly fighting back against the move towards encryption.
End-to-end encryption standards can prevent snooping, surveillance, as well as the leak of private data -- and so one of the only ways to circumvent these protections is to obtain vulnerabilities which are yet to be patched by vendors. As our devices' security standards improve, the task of infiltrating them becomes only more difficult.
Researchers who uncover previously-unknown security flaws which could be used to compromise users in these ways can report their findings directly to affected vendors, sell them on the underground, or chose to disclose these bugs to private sellers.
While morally dubious, in the latter case, there is serious money to be earned.
Evidently, business is booming for Zerodium, which has now released an updated list of financial rewards for all manner of security reports.
The payouts mirror demand and the highest payout on offer is for Apple iOS remote jailbreak reports with persistence and without a need for clicks to initiate. Originally, Zerodium offered $1.5 million for such reports, but this has now increased by $500,000 to $2 million.
The exploit seller is also willing to pay up to $1.5 million for similar, working exploits which require one click to set in motion.
Zerodium also has its sights set on WhatsApp, iMessage, or SMS/MMS remote code execution vulnerabilities, any of which can earn a bug bounty hunter up to $1 million, a payout which has been doubled.
Payouts have also been increased for Chrome remote code execution vulnerabilities, Safari flaws, and Touch ID bypass methods for both iOS and Android mobile devices.
In terms of desktops, Zerodium has doubled the bounty on offer for Windows remote code execution attacks via SMB or RDP packets which do not require user interaction to $1 million. In addition, rewards have been doubled for Chrome remote code execution bugs, Apache exploits, and VMWare ESXi VM Escape methods, among others.
Last year, the exploit seller ramped up its rewards for Linux-based vulnerabilities. Payouts of up to $45,000 were made available for local privilege escalation (LPE) exploits.
Zerodium is not the only gray exploit seller in business. Dubai-based Crowdfense operates a platform which facilitates the sale of vulnerabilities and all manner of exploit chains. These 'wares' can then be sold on to "global institutional customers," which may include government entities.