Zerodium Offering $1M for Tor Browser Zero Days

The exploit acquisition vendor Zerodium is doubling down again.

Weeks after the company said it would pay $500,000 for zero days in private messaging apps such as Signal and WhatsApp, Zerodium said Wednesday it will pay twice that for a zero day in Tor Browser.

The company said it will pay up to $1 million for fully functional, unknown zero day exploits for Tor Browser on Tails Linux and Windows. Specifically, the company said it will pay $250,000 for combined remote code execution and local privilege escalation bugs that work on both Tails and Windows to root/system, or $200,000 for combined bugs in Tails or Windows. It will pay an abbreviated bounty for just RCE vulnerabilities, and vulnerabilities executed when JavaScript is allowed.

The company said that any exploits that require manipulating of Tor nodes, or exploits that would disrupt the network itself won’t be accepted. Submissions must include the full, unknown and previously unpublished, exploit, alongside a whitepaper explaining the techniques. Zerodium says an attack vector has to be a web page targeting the latest version of the browser, either in its default configuration where JavaScript is allowed to run with its security settings set to low, or in a hardened configuration where JavaScript is blocked.

Read more…

Source: ThreatPost