Zerodium offers $1 million for zero-day exploits targeting Tor Browser

A U.S. based start-up security firm announced a new bug bounty program on Wednesday where it is offering a total of $1 million in rewards to security researchers to identify zero-day exploits in the Tor Browser on security-focussed Tails Linux and Windows.

The start-up security firm, Zerodium is known for buying security flaws and zero-day vulnerabilities from researchers and selling the information to government customers.

“ZERODIUM, the premium zero-day acquisition platform, announces and hosts a Tor Browser Zero-Day Bounty. ZERODIUM will pay a total of one million U.S. dollars ($1,000,000) in rewards to acquire zero-day exploits for Tor Browser on Tails Linux and Windows.” reads the announcement published by ZERODIUM. “The bounty is open until November 30th, 2017 at 6:00pm EDT, and may be terminated prior to its expiration if the total payout to researchers reaches one million U.S. dollars ($1,000,000).”

The highest individual bounty offered by the company is $250,000 to any researcher who can provide the company with an exploit that allows the attacker to hack a target who’s using the Tor Browser with high security settings on Linux Tails and Windows. Other small bounties range between $75,000 (for exploits that only work for either Windows or Tails, and work only with Javascript allowed, for example, making them easier to develop) and $200,000.

“Today, ZERODIUM sets the bar even higher with a new technical challenge: develop a fully functional zero-day exploit for Tor Browser with JavaScript BLOCKED! Exploits for Tor Browser with JavaScript allowed are also accepted/eligible but have lower payouts (see below).” continues the announcement.

Check the complete price list table below for ‘Tor Browser Zero-Day Exploits Bounty’ along with the rules and payouts:

While Zerodium acknowledged that the Tor network and Tor Browser are used by security-conscious individuals to enhance privacy and anonymity online, it is also used by notorious criminals as a gateway to the dark web of often shady sites.

In a Q & A section, the company said it was offering the million-dollar bounty for Tor to make the world a safer place.

“While the Tor network and Tor Browser are fantastic projects that allow legitimate users to improve their privacy and security on the Internet, the Tor network and browser are, in many cases, used by ugly people to conduct activities such as drug trafficking or child abuse,” the company said.

“We have launched this special bounty for Tor Browser zero-days to help our government customers fight crime and make the world a better and safer place for all.”

In a FAQ section on its website, Zerodium explained that its customers were mainly U.S. Government agencies.

“Zerodium customers are mainly government organisations in need of specific and tailored cyber security capabilities, as well as major corporations from defence, technology, and financial sectors, in need of protective solutions to defend against zero-day attacks,” it said.

“Access to Zerodium solutions and capabilities is highly restricted and is only available to a very limited number of organisations.”

Last month, Zerodium offered up to $500,000 for remote code execution (RCE) and privilege escalation vulnerabilities affecting secure messaging apps, such as Signal, WhatsApp, Telegram, Viber, iMessage, Facebook Messenger, WeChat and others, as well as zero-days targeting mobile email apps.