Bbabo NET

Science & Technology News

Zerodium Platform Announces Reward Increase to $400,000

According to Bleeping Computer, exploit broker Zerodium announced a temporary reward increase for hackers to $400,000 for a fully functional working zero-click exploit that exploits a zero-day vulnerability and allows remote code execution (RCE) in the Microsoft Outlook email client. Previously, the platform bought such exploits for $250,000.

The increase in payout is a temporary measure, but Zerodium did not disclose the closing date for applications from hackers for this promotion.

A prerequisite for obtaining the maximum payout is that the exploit must allow a remote zero-click attack on the user's device, i.e. when the victim receives/downloads email in Outlook and without the need for any additional user interaction, such as reading a malicious email message or opening an attachment.

Zerodium clarified that it does not rule out rewards for other one-click exploits that require opening or reading email. In this case, the hacker will receive a smaller payout, which the platform has not disclosed.

Zerodium reminded that since 2019, the platform has been offering a $200,000 payout for a zero-click RCE exploit for Mozilla Thunderbird.

Zerodium also temporarily tripled the reward for the WordPress RCE exploit to $300,000.

On December 31, 2021, the Zerodium platform ended accepting applications with exploits that allow you to escape from the sandbox in Google Chrome (payout for this was up to $400,000) and an RCE exploit for VMware vCenter (up to $150,000).

The increase in payouts by the exploit broker for zero-day vulnerabilities in Microsoft products came against the backdrop of a reverse process on the part of the developer. Microsoft has been reducing rewards for researchers through its bug bounty program since April 2020. Microsoft now pays up to $5,000 for a sandbox escape, and reduced the $10,000 payout to $1,000 for a 0-day vulnerability.

On November 22, 2021, in protest against Microsoft's bug bounty cuts, a researcher posted on GitHub a working exploit for the Windows zero-day vulnerability CVE-2021-41379, with which a local user with limited rights can elevate privileges to the SYSTEM level.

In July 2021, Microsoft revealed that over the past year, it has paid out about $13.6 million to third-party security and IT experts through 17 programs to find vulnerabilities in its software products and services. From July 1, 2019 to June 30, 2020, Microsoft paid out $13.7 million through its bug bounty programs to just 327 researchers.

Zerodium Platform Announces Reward Increase to $400,000