Zerodium is an American information security company. The company was founded in 2015 with operations in Washington, D.C., and Europe. The company develops and acquires zero-day exploits from security researchers. It then reports the research, provides protective measures, and makes security recommendations to government clients. Zerodium reports it has paid over 2,000 researchers more than $100,000,000 in bounties between 2015 and 2023.[1]

Zerodium
Founded2015 (2015)
Headquarters,
United States
Area served
Information security
Websitewww.zerodium.com

History edit

Zerodium was launched on July 25, 2015 the founders of by Vupen. The company pays bounties for zero-day exploits. A zero-day exploit is a cybersecurity attack that targets security flaws in computer hardware, software or firmware in order to maliciously plant malware, steal data, or damage the program.[2] Bug bounty programs, including Zerodium, pay bounties for knowledge of these security flaws. The programs contract with governments and companies such as Google and Yahoo to alert them of these flaws and cyberattacks.[3][4]

Zerodium was the first company to release a full pricing chart for zero-days, ranging from $5,000 to $1,500,000 per exploit.[5] The company was reported to have spent between $400,000 to $600,000 per month for vulnerability acquisitions in 2015.[6]

In 2016, the company increased its permanent bug bounty for iOS exploits to $1,500,000.[7]

Zerodium published a new pricing chart exclusively for mobile zero-days ranging from $10,000 to $500,000 per exploit in 2017. The company also announced a time-limited bounty of $1,000,000 for Tor browser exploits.[8]

New products were added by the company in 2018 to its bounty program including cPanel, Webmin, Plesk, Direct Admin, ISP Config, OpenBSD, FreeBSD, and NetBSD. It also then increased its payouts for various software, including a bounty of up to $500,000 for Windows remote code execution exploits.[9]

In January of 2019, Zerodium once again increased its bounties for almost every product including a payout of $2,000,000 for remote iOS jailbreaks; $1,000,000 for WhatsApp, iMessage, SMS, and MMS RCEs; and $500,000 for Chrome exploits.[10]

Fast-forward to September 2019, Zerodium increased its bounty for Android exploits to $2,500,000, and for the first time, the company is paying more for Android exploits than iOS. Payouts for WhatsApp and iMessage have also been increased. The company is now reportedly spending between $1,000,000 to $3,000,000 each month for vulnerability acquisitions.[11]

Its official website claims that Zerodium has more than 2000 researchers as of July 2023 and has launched additionally to its permanent bounties, a time-limited bug bounty program which aims to acquire other zero-day exploits that are not within Zerodium's usual scope or for which the company is temporarily increasing the payouts.[12]

Criticism edit

Reporters Without Borders criticized Zerodium for selling information on exploits used to spy on journalists to foreign governments.[13]

See also edit

References edit

  1. ^ "ZERODIUM - The Premium Exploit Acquisition Platform". zerodium.com. Retrieved 2024-02-28.
  2. ^ "What is a Zero-Day Exploit? | IBM". www.ibm.com. Retrieved 2024-02-28.
  3. ^ "Google and Alphabet Vulnerability Reward Program (VRP) Rules | Google Bug Hunters". bughunters.google.com. Retrieved 2024-02-28.
  4. ^ "Yahoo! - Bug Bounty Program". HackerOne. Retrieved 2024-02-28.
  5. ^ Andy Greenbrg (18 November 2015). "Here's a Spy Firm's Price List for Secret Hacker Techniques". Wired. Retrieved 26 August 2016.
  6. ^ Sean Michael Kerner (21 September 2015). "Zerodium Offering a $1 Million iOS 9 Bug Bounty". eWeek.[permanent dead link]
  7. ^ Lily Hay Newman (29 September 2016). "A Top-Shelf iPhone Hack Now Goes for $1.5 Million". Wired.
  8. ^ Zerodium (13 September 2017). "Tor Browser Zero-Day Exploits Bounty for $1.0 Million". {{cite journal}}: Cite journal requires |journal= (help)
  9. ^ Zerodium (13 September 2018). "Zerodium is increasing its bounties for browsers, servers, mobiles, and more". {{cite journal}}: Cite journal requires |journal= (help)
  10. ^ Zerodium (7 January 2019). "Zerodium is increasing its bounties for iOS to up to $2,000,000". {{cite journal}}: Cite journal requires |journal= (help)
  11. ^ Sophos (9 January 2019). "Zerodium's waving fatter payouts for zero-day bug hunters". {{cite journal}}: Cite journal requires |journal= (help)
  12. ^ Zerodium (5 July 2021). "Zerodium Time Limited Bug Bounties". {{cite journal}}: Cite journal requires |journal= (help)
  13. ^ "RSF unveils 20/2020 list of press freedom's digital predators | Reporters without borders". RSF. 2020-03-10. Retrieved 2021-10-31.

External links edit