The zero-day broker Zerodium offers $1 million for Tor Browser exploits with the intent to unmask Tor users. The controversial firm will then resell the zero-day exploit for Tor browser to law enforcement and government agencies, officially to give them a further instrument to de-anonymize Tor users in their investigations.
The company is searching for working exploits for Tor browser running on Windows and the privacy-focused Linux distro Tails OS.
“ZERODIUM, the premium zero-day acquisition platform, announces and hosts a Tor Browser Zero-Day Bounty. ZERODIUM will pay a total of one million U.S. dollars ($1,000,000) in rewards to acquire zero-day exploits for Tor Browser on Tails Linux and Windows.” reads the announcement published by ZERODIUM. “The bounty is open until November 30th, 2017 at 6:00pm EDT, and may be terminated prior to its expiration if the total payout to researchers reaches one million U.S. dollars ($1,000,000).”
The Tor Browser bounty will run until November 30, but the company added that it may be closed earlier if the $1 million reward amount is paid out.
Zerodium is requesting exploits that could be used to trick targeted users into visiting a specially crafted web page.
The full price list is reported in the following table:
In August, Zerodium offered up to $500,000 for remote code execution and privilege escalation vulnerabilities affecting popular instant messaging and email applications.
(Security Affairs – Tor Browser, bug bounty)