Pierluigi Paganini
September 14, 2017
The zero-day broker Zerodium offers $1 million for Tor Browser exploits with the intent to unmask Tor users. The controversial firm will then resell the zero-day exploit for Tor browser to law enforcement and government agencies, officially to give them a further instrument to de-anonymize Tor users in their investigations.
The company is searching for working exploits for Tor browser running on Windows and the privacy-focused Linux distro Tails OS.
“ZERODIUM, the premium zero-day acquisition platform, announces and hosts a Tor Browser Zero-Day Bounty. ZERODIUM will pay a total of one million U.S. dollars ($1,000,000) in rewards to acquire zero-day exploits for Tor Browser on Tails Linux and Windows.” reads the announcement published by ZERODIUM. “The bounty is open until November 30th, 2017 at 6:00pm EDT, and may be terminated prior to its expiration if the total payout to researchers reaches one million U.S. dollars ($1,000,000).”
The Tor Browser bounty will run until November 30, but the company added that it may be closed earlier if the $1 million reward amount is paid out.
The company will pay out the highest rewards for exploits working on Tor browser with high security setting with JavaScript blocked, it also offers rewards for could unmask only users with JavaScript allowed (low” security setting).
“Today, ZERODIUM sets the bar even higher with a new technical challenge: develop a fully functional zero-day exploit for Tor Browser with JavaScript BLOCKED! Exploits for Tor Browser with JavaScript allowed are also accepted/eligible but have lower payouts (see below).” continues the announcement.
Zerodium is requesting exploits that could be used to trick targeted users into visiting a specially crafted web page.
The full price list is reported in the following table:
An exploit that works for achieves both remote code execution and local privilege escalation can earn up to $250,000, if it works on both Windows 10 and Tails 3.x with JavaScript blocked. If the exploit works on only one of the operating systems, it can still be worth up to $200,000.
A working exploit on just one of the operating systems can be pay up to $200,000, meanwhile a remote code execution exploit that does not include privilege escalation capabilities is worth up to $185,000 with JavaScript blocked.
Of course, exploits that work only when JavaScript is enabled can be paid up to $125,000 if they include both code execution and privilege escalation, and $85,000 for just the code execution.
In August, Zerodium offered up to $500,000 for remote code execution and privilege escalation vulnerabilities affecting popular instant messaging and email applications.
| [adrotate banner=”9″] | [adrotate banner=”12″] |
(Security Affairs – Tor Browser, bug bounty)
[adrotate banner=”5″]
[adrotate banner=”13″]
