Security firm ‘guarantees’ to pay more than Google does for Chrome exploits

A newly launched vendor that buys and sells exploits is making a play to corner the world’s most dangerous attacks.

In the wake of the Hacking Team’s massive leak that revealed details about the murky world of selling and buying exploits, a new company, Zerodium, has emerged in the hope of becoming the go-to company for exclusively “high risk vulnerabilities with fully functional/reliable exploits”.

As ThreatPost noted, Zerodium is the brainchild of well-known hacker Chaouki Bekrar, the founder of Vupen, a French security firm that develops its own exploits that are sold to clients but doesn’t buy exploits.

The venture-backed company claims it will pay more than any other bug bounty for zero day flaws, including those run by Google, Mozilla and third-party bounties such as the Microsoft- and Facebook-backed Internet Bug Bounty.

Despite Silicon Valley firms offering tens of thousands of dollars in cash rewards, Zerodium could easily out-bid them. The startup doesn’t say how much it will pay for a bug, but an analysis by researcher Vlad Tsyrklevich of Hacking Teams’ leaked internal correspondence indicates Vupen wanted at least $100,000 to part with each high quality exploit it developed, while correspondence from US-based exploit broker Netragard suggested an exclusive exploit for iOS could fetch as much as $1 million.

By contrast, Google’s top payout to date is about $40,000 for a string of flaws, and the company’s largest payment for a single flaw is $20,000. Microsoft offers $100,000 for an exploit that bypasses Windows’ anti-exploitation technologies.

“We only acquire high-risk flaws accompanied by a fully functional and reliable exploit leading to arbitrary code execution, or privilege escalation, or sandbox bypass/escape, or sensitive information disclosure,” Zerodium says on its FAQ.

Zerodium explains that it’s filling a gap in the vulnerability acquisition market, the majority of which “focus on quantity instead of quality”, and as such is willing to out-do the low-value payments from Silicon Valley.

The company intends to use the bugs it buys to form part of its security research “feed” and claims its customers include “major corporations in defense, technology, and finance, in need of advanced zero-day protection, as well as government organizations in need of specific and tailored cybersecurity capabilities.”

The startup is on the hunt for bugs and exploits affecting all the usual suspects that have a wide impact, ranging from the latest Windows, OS X, Android and iOS, to browsers, Flash, web server software, email services, popular web applications like WordPress as well as networking devices.

However, it isn’t interested in bugs that could be used to attack Facebook’s or Google’s servers and urges researchers to report them to the vendor’s official bug bounty program. It also won’t accept bugs from researchers located in nations facing sanctions from the US or UN.

Zerodium has arrived on the exploit acquisition scene as others make their exit and the move comes as the US plans to step up regulations on the export of software exploits.

Earlier this month Netragard announced it would terminate its Exploit Acquisition Program after Hacking Team’s leak revealed a relationship between the two companies and that exploits it sold to Hacking Team may have been used by governments with questionable human rights records — an outcome Netragard said it worked hard to avoid.

Tsyrklevich’s analysis revealed that Vupen was one of a dozen companies that it acquired exploits from, though emails indicated the relationship was strained due to competitive reasons.

This article is brought to you by Enex TestLab, content directors for CSO Australia.

Feeling social? Follow us on Twitter and LinkedIn Now!

Join the CSO newsletter!

Error: Please check your email address.

Tags risk vulnerabilitiesBug bountyiosTsyrklevichZerodiumAndroidChrome exploitsChaouki BekrarHacking Teamsilicon valleyCSO AustraliamozillaGoogledangerous attacksOS X

More about CSOEnex TestLabFacebookGoogleMicrosoftMozillaTwitter

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Liam Tung

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place