Premium Exploit Vendor Now Offers Higher Bounties for 0-Days in Secure Messaging Apps – iOS Flaws Still the Most in Demand
Zerodium has increased the financial rewards for security researchers who submit zero-day flaws in secure messaging and email applications. The cybersecurity firm announced a new pricing structure today that now pays more to those who exploit vulnerabilities in messaging apps than those focused on web browsers or operating systems.
The private exploit seller announced that it will offer up to $500,000 for remote code execution and privilege escalation vulnerabilities that are discovered in the popular instant messaging and email apps like WhatsApp, Signal and Telegram.
“Zerodium pays premium bounties and rewards to security researchers to acquire their original and previously unreported zero-day research affecting major operating systems, software, and devices,” the company wrote. “While the majority of existing bug bounty programs accept almost any kind of vulnerabilities and PoCs but pay very low rewards, at Zerodium we focus on high-risk vulnerabilities with fully functional exploits, and we pay the highest rewards on the market.”
Zerodium starts focusing more on secure messaging apps due to high demand
The latest changes in the reward scheme will get researchers about half a million dollars for reporting previously unknown vulnerabilities in popular messaging apps, such as WhatsApp, iMessage, Telegram, Signal, Facebook, and WeChat, or traditional SMS/MMS messaging.
- $500,000 – Messaging Apps RCE + LPE (SMS/MMS, iMessage, Telegram, WhatsApp, Signal, Facebook, Viber, WeChat)
- $500,000 – Default Email Apps RCE + LPE
Probably in response to the leaked EternalBlue NSA exploit, Zerodium is also rewarding up to $300,000 for “Windows 10 RCE (Zero Click) i.e. remote exploits targeting default Windows services e.g. SMB or RDP.”
While the company has increased payments for Google Chrome RCEs from $80,000 to $150,000 and for exploiting flaws in FireFox/Tor, the messaging app exploits will now be rewarded way more than browser flaws.
Zerodium founder Chaouki Bekrar said that the “high value of zero-day exploits for such apps comes from both a high demand by customers and a small attack surface in these apps which makes the discovery and exploitation of critical bugs very challenging for security researchers.”
iPhone remains the most rewarding segment with an iOS remote jailbreak with persistence (without any user interaction) bringing up to $1.5 million and a remote jailbreak with persistence but with user interaction (limited to clicking a malicious link or opening a file) bringing $1,000,000.
Here’s the complete, updated “Payouts Changelog:”