The exploit acquisition vendor Zerodium is doubling down again.
Weeks after the company said it would pay $500,000 for zero days in private messaging apps such as Signal and WhatsApp, Zerodium said Wednesday it will pay twice that for a zero day in Tor Browser.
— Zerodium (@Zerodium) September 13, 2017
Like it did when it announced the messaging app bounties, Zerodium says the Tor bounty is designed to help its government customers track criminals who use the anonymous browser.
When reached on Wednesday, a Tor Project spokesperson said the high payout was a good example of the security the browser provides. But, he also suggested participating in Zerodium’s bug bounty program could put Tor users’ lives at stake.
“We think the amount of the bounty is a testament to the security we provide. We think it’s in the best interest of all Tor users, including government agencies, for any vulnerabilities to be disclosed to us through our own bug bounty. Over 1.5 million people rely on Tor everyday to protect their privacy online, and for some it’s life or death. Participating in Zerodium’s program would put our most at-risk users’ lives at stake.”
Zerodium, launched in 2015 by VUPEN cofounder Chaouki Bekrar, has made a name for itself by offering lofty payouts for high-risk zero-day exploits. Shortly after it was founded the company offered a million-dollar bounty centered on iOS 9. It then one upped itself by offering a $1.5 million bounty for information pertaining to an iOS 10 remote jailbreak around this time last year.
The company in August said that a spike in demands from its customers, democratic and non-sanctioned governments, combined with the small attack surface of private messaging apps, led to a change in bounty pricing. Zerodium said Wednesday the fact the Tor Browser is used in “many cases” by attackers to carry out drug trafficking and child abuse has helped contributed to demand for zero days.
Unlike the private messaging app bounty, which is ongoing, the company’s Tor Browser exploit bounty is limited. Zerodium said the Tor bounty is open until November 30 at 6 p.m., or until the payout reaches $1 million.