Controversial exploit broker Zerodium has upped its bug bounties for the majority of desktop/server and mobile exploits, offering security researchers millions of dollars for their work.
At the lower end, a Windows local privilege escalation or sandbox escape will now pay out $80,000, up from $50,000, while at the top of the server/desktop category are “zero click” Windows remote code execution exploits, which have doubled in value to $1m.
However, the biggest bucks go to researchers looking for flaws in mobile platforms.
A local pin/passcode or Touch ID bypass for Android or iOS will net you $100,000, up from $15,000, while a zero click Apple iOS remote jailbreak with persistence is now worth $2m, up from $1.5m
“Zerodium pay outs for eligible zero-day exploits range from $2000 to $2m per submission,” the firm’s website explained.
“The amounts paid by Zerodium to researchers to acquire their original zero-day exploits depend on the popularity and security level of the affected software/system, as well as the quality of the submitted exploit (full or partial chain, supported versions/systems/architectures, reliability, bypassed exploit mitigations, default vs. non-default components, process continuation, etc).”
The firm claims it was founded to “build a global community of talented and independent security researchers working together to provide the most up-to-date source of cybersecurity research and capabilities.”
However, unlike Trend Micro’s Zero Day Initiative, for example, exploits submitted to the firm are usually sold on privately rather than shared with the white hat community and vendors.
Law enforcement and intelligence services around the world are keen to get their hands on the latest security research, to monitor terrorists and criminals but also dissidents, journalists and others.