Written byPatrick Howell O'Neill
A startup that buys zero-day exploits will pay hackers $45,000 for Linux local privilege escalation exploits against popular operating systems like Ubuntu, Debian and Fedora.
The company, Zerodium, is famous for its exploit-buying program. It pays bounties as high as $1.5 million bounty if the research is completely original and the target is right. The price depends on the security of the target and the demand in the market.
The program might be widely known in the cybersecurity community, but the results are highly secret: Zerodium, based in Washington, D.C., sells its exploits to government customers who will pay for the ability to break virtually any kind of computer. Privilege escalation exploits are particularly valuable because they allow an attacker to gain access to parts of a computer that would otherwise be restricted from them.
The new $45,000 bounty for Linux local privilege escalations is a $15,000 raise above Zerodium’s usual $30,000 price tag, suggesting a rise in demand. It’s an offer with an expiration date: Increased payouts will last only until March 31.
Zerodium founder Chaouki Bekrar did not respond to a request for comment.
Here’s the announcement via Twitter:
Got a Linux LPE? Working with default installations of Ubuntu, Debian, CentOS/RHEL/Fedora? We are increasing our payouts to $45,000 per #0day exploit until March 31st, 2018. To submit, please check: https://t.co/8NeubPvSdj
— Zerodium (@Zerodium) February 8, 2018
Last year, Zerodium offered a $1 million bounty to any hackers who found bugs and exploits against the anonymizing Tor Browser. That offer lasted three months and ended in December. The usual price for those zero days is up to $100,000. Some observers saw that that seven-figure payout as a publicity stunt, but Bekrar said at the time that demand among government customers was high. He never commented on the outcome of the program.
Zerodium’s highest bounty is $1.5 million for a zero-click remote jailbreak against the iPhone. That lofty price, along with comments from others in the industry, showcase the high level of difficulty hackers are having against Apple’s flagship device, which is notorious for its increasingly high level of security compared to the rest of the world’s mobile gadgets. Zerodium also offers $500,000 for zero days against secure messenger apps like Signal, WhatsApp, Telegram and iMessage.
“The price that Zerodium puts on a product is always an indication of the security of that product, the higher the price, the better is the security of that product,” Bekrar told CyberScoop last year. “The prices result from both a high demand and a small attack surface in these apps which makes the discovery and exploitation of critical bugs very challenging for security researchers.”