Zerodium, an infosec and premium zero-day acquisition platform known for selling zero-day exploits to governments has announced that it will be paying a huge amount of money to buy iOS remote jailbreak and exploits related to WhatsApp, iMessage, or SMS/MMS.
See: Zerodium uses Twitter to disclose critical zero-day flaw in Tor Browser
According to a statement from the founder of Zerodium Chaouki Bekrar, it is very important to intercept messaging apps because their end-to-end encryption makes it difficult for governments to get the data they need.
“Having the ability to remotely compromise these apps directly without compromising the whole phone is much more strategic and effective,” said Bekrar.
Furthermore, Zerodium has stated that it will pay security researchers a whopping $1,000,000 for finding exploits in the messaging platforms including iMessage, WhatsApp, and similar messaging apps.
The company has announced that it will increase the payouts for working exploits for its entire program. It will pay $2m for iOS remote jailbreak, half a million for Google Chrome RCEs. Hence, the payouts for authentic zero-day exploits will range from $2,000 to $2m for every submission and even higher payouts will be offered for “exceptional exploits and research.”
Bekrar previously ran Vupen Security before starting Zerodium in 2015. The primary purpose of Vupen Security was to discover zero-day vulnerabilities for selling them to intelligence and law enforcement agencies. Bekrar claims Zerodium to be a platform that is established to build “global community of talented and independent security researchers working together to provide the most up-to-date source of cybersecurity research and capabilities.”
It works on a different business model as it acquires zero-day vulnerabilities from freelance security researchers. The startup then analyzes, records and reports the findings to its customers, which includes organizations and governments, apart from “protective measures and security recommendations.”
The price hike by Zerodium indicates that it has now become too difficult to identify and exploit vulnerabilities in today’s applications and operating systems especially when it comes to Apple who reportedly avoids sharing malware definitions with third-party security firms.