Zerodium Offers $1M for Tor Browser Zero-Day Exploits

Posted on the 19 September 2017 by Darkwebnews @darkwebnews

Zerodium has made a new announcement that it will offer a huge sum for zero-days exploits on the Tor browser platform, and the amount could be as high as $1million.

It is possible that the United States Department of Justice or the Federal Bureau of Investigation (or even both jointly) have found an effective way of pursuing the users of darknet sites via the Tor browser.

The majority of transactions on this anonymity browser are understood to be illegal, such as dealing drugs, arms, stolen goods, and so on.

There are also sites that sell stolen data like passwords and credit card information, and many attempts have been made by the law enforcement agencies to shut down some of these dark web marketplaces.

Phenomenal Sums Offered

Just last month, Zerodium offered half a million dollars in bug bounty for detecting zero-days vulnerabilities in top messaging apps such as WhatsApp.

Even at that time, the company had stated that it was working on behalf of certain unnamed government agencies.

It was then speculated that since many of these messaging apps are being used by terrorists and other criminals exploiting the end-to-end encryption of the messages, the law enforcement agencies were keen to break into the programs and gain access to such elements' activities.

In the same way, this announcement of rewards of up to $1 million for detecting and demonstrating vulnerabilities in the Tor browser can be seen as an attempt to gain access to these encrypted sites.

Different Conditions Imposed

The latest Zerodium bug bounty program comes with specific conditions for the researchers.

At the broad level, it says the zero-days exploits need to be fresh or hitherto unknown, and also fully functional. This means if the loophole is already plugged, then the reward may not be payable.

Additionally, the bugs have to be found on the Tor browser running on the Windows 10 or Tails Linux platforms.

The slabs offered include a $250,000 bug bounty reward for code execution plus local privilege bugs on both the platforms, Linux and Windows combined.

If details of the Tor browser bugs are shared only on either one of these, then the amount comes down to $200,000.

Zerodium further drops these figures if the system allows JavaScript to be run, and other processes similar to it.

These figures could be $185,000, $125,000 and $85,000 under different conditions.

Zerodium's Transparency is Questionable

The only issue experts see in the way Zerodium operates its bounty programs is that it does not get back to the owner of the site and share the vulnerabilities it has obtained through this program.

Instead, it claims to work for government agencies and passes the information over to them.

This is not the way most white hat operators function.

Usually, they would either locate a bug themselves or collect by paying bug bounty and then immediately alert the sites to ensure that the vulnerability is solved through security patches.

To the defense of Zerodium, the Tor browser project could be treated as a special case where it is the users of the sites who are trying to hide their identities and carrying illegal activities.

And if the zero-days exploits help track them down, the program could be in the larger public interest.

Tor Browser Supposedly Safe & Secure

The latest bounty offering of $1million has a direct bearing on the thousands of people who trade anonymously within the Tor browser platform, in the hope that their real identities and the details of their transactions and funds cannot be traced back.

Tor has responded to this concern by claiming that their browser is absolutely safe.

It's possible that the very fact that such high amounts are being offered to crack the browser is itself an indication that it's not easy to find vulnerabilities in the program.

But recent events have shown that it is not impossible to crack into the dark web.

Agencies working on this have managed to find their way in and pose decoy transactions in order to trace the vendors through the delivery mechanisms they employ, like post offices or courier companies.

Even arrests have been made in the U.S. of people peddling drugs on sites like AlphaBay, especially after the darknet market was shut down a few months ago.

Zerodium may still succeed in its efforts in locating zero-days exploits and vulnerabilities.

The current program will run through November 30 or until the full bounty of $1million is claimed-whichever happens first.

Disclaimer:

You need to enable JavaScript to vote