Zerodium offers up $500,000 to hackers for messaging app zero-days

24 Aug 2017

WhatsApp chat window. Image: PixieMe/Shutterstock

Exploit broker Zerodium announces massive bounties for hackers who spot vulnerabilities in popular messaging apps.

Washington DC exploit acquisition vendor Zerodium has announced that researchers who locate zero-day vulnerabilities affecting apps such as Facebook Messenger, WhatsApp, Signal and Telegram can now fetch payments of up to $500,000.

The new list of available rewards was released yesterday (23 August) on the company’s website.

Demand for zero-day vulnerabilities is high, especially for remote code execution (RCE) and local privilege escalation exploits (LPE). RCEs allow attackers to execute code from a remote server, while LPEs exploit a design oversight or a bug to gain access to software features that are normally inaccessible.

A zero-day exploit is one that takes advantage of a vulnerability on the same day it becomes public, with ‘zero days’ between the time the vulnerability is discovered and the first attack.

Demand from government customers

According to Threatpost, Zerodium’s recent pricing change is more mobile-focused, with CEO Chaouki Bekrar explaining that the company’s government customers are in need of zero-day exploits to track criminals through the otherwise-encrypted mobile messaging apps.

Zerodium is looking to acquire high-risk vulnerabilities “with fully functional [or] reliable exploits affecting modern operating systems, software and devices”. As well as LPEs and RCEs, the company also has an interest in acquiring sandbox escapes or bypasses, and SQL injection information.

If researchers report vulnerabilities directly to the vendors of the app – for example, iMessage – in most cases, the bug will be patched and all app users will be protected.

Conversely, if exploits are flagged by a researcher to a private firm such as Zerodium, the reward is higher for the individual who made the discovery, though the information could end up in the hands of law enforcement or other private companies.

High risk, high reward

While it is keeping a lid on individual names, Zerodium customers include “major corporations in defence, technology and finance, in need of advanced zero-day protection, as well as government organisations in need of specific and tailored cybersecurity capabilities”.

Zerodium’s website explains the company rationale succinctly: “While the majority of existing bug bounty programmes accept almost any kind of vulnerabilities and PoCs but pay very low rewards, at Zerodium, we focus on high-risk vulnerabilities with fully functional exploits and we pay the highest rewards on the market.”

It’s a murky but lucrative area for infosec researchers and hackers, and, with money continuing to pour into the market, zero-day values may continue to rise even further.

WhatsApp chat window. Image: PixieMe/Shutterstock

Ellen Tannam was a journalist with Silicon Republic, covering all manner of business and tech subjects

editorial@siliconrepublic.com