How To Earn $2M For An Exploit? Zero-Day Exploits Bounties Are On The Rise

We all trust in the security of our mobile devices or notebooks while communicating with business partners, doing our banking transactions or using messengers to share things that should stay private. However, software never was and will never be flawless. Weaknesses in software that break security and have not been disclosed publicly cannot get fixed. This so called zero-day exploits are particularly valuable for cyber criminals as well as for intelligence services.

Responsible tech companies have a bug bounty program to reward people for reporting such zero-day exploits but third parties who are not interested in fixing these bugs always offered a higher pay. Don’t get me wrong. I don’t like to encourage anyone to sell zero-day exploits. Instead, responsible disclosure should be the obvious choice.

Bounties for zero-day exploits have recently increased at Zerodium. Is that a sign of improved security or do we have a growing demand in a bigger market? In my opinion, we see some progress on security but the growing demand is the greater driver.

Here are some examples:

Exploits for mobile devices:

• $2,000,000 - Apple iOS remote jailbreak (Zero Click) with persistence (previously: $1,500,000)
• $1,500,000 - Apple iOS remote jailbreak (One Click) with persistence (previously: $1,000,000)
• $1,000,000 - WhatsApp, iMessage, or SMS/MMS remote code execution (previously: $500,000)

  Servers/Desktops

• $1,000,000 - Windows RCE (Zero Click) e.g. via SMB or RDP packets (previously: $500,000)
•    $500,000 - Chrome RCE + SBX (Windows) including a sandbox escape (previously: $250,000)
•    $500,000 - Apache or MS IIS RCE i.e. remote exploits via HTTP(S) requests (previously: $250,000)
•    $80,000 - Windows local privilege escalation or sandbox escape (previously: $50,000)

RCE = Remote Code Execution; means the attacker can run any code on your system

See the full list here.

Photo by Markus Spiske on Unsplash