Zerodium Raises Zero-Day Payout Ceiling to $2M | Threatpost | The first stop for security news

Exploit acquisition vendor Zerodium said Monday that it is upping its payouts for full, working exploits across its entire program. It’s now paying $2 million for remote iOS jailbreaks, $1 million for WhatsApp/iMessage/SMS/MMS remote code-execution (RCE) and a half-million for Google Chrome RCEs.

The move means that payouts for eligible zero-day exploits range from $2,000 to $2 million per submission – with even higher payouts available for “exceptional exploits and research,” it said on its website.

The amount awarded depends on the affected software/system, as well as the quality of the submitted exploit (i.e., is it a full or partial chain, does it affect current versions, reliability, bypassed exploit mitigations and so on). The research must be original and previously unreported.

Announcement: We are increasing our bounties for almost every product.
We’re now paying $2,000,000 for remote iOS jailbreaks, $1,000,000 for WhatsApp/iMessage/SMS/MMS RCEs, and $500,000 for Chrome RCEs.
More information at: https://t.co/0NBRnq4I4y pic.twitter.com/vXDyxC3Q4v

— Zerodium (@Zerodium) January 7, 2019

Zerodium, launched in 2015 by VUPEN cofounder Chaouki Bekrar, is known for offering lofty payouts for high-risk zero-day exploits. Shortly after it was founded, the company offered a million-dollar bounty for iOS 9 exploits. It then one upped itself in 2016 by offering a $1.5 million bounty for an iOS 10 remote jailbreak. In 2017, it debuted payouts for private messaging apps such as Signal and WhatsApp, and it said that it will pay up to $1 million for zero-day exploits for Tor Browser on Tails Linux and Windows.

As a vulnerability dealer, Zerodium has not been without controversy for brokering exploits that could end up in the wrong hands. Yet it bills itself as an effort “to build a global community of talented and independent security researchers working together to provide the most up-to-date source of cybersecurity research and capabilities.”

It also says that it “analyzes, documents and reports the findings to its clients,” (a small set of organizations and governments), “along with protective measures and security recommendations.”