Firm offers up to $1 million for Tor zero-day exploits – but who will they sell them to?

Individual rewards and payouts suggests customers with deep pockets…

David bisson
David Bisson

Firm offers up to $1 million if you find a Tor zero-day exploit

A company is offering up to one million dollars in bounties for anyone who finds and reports exploitable zero-day flaws in the Tor Browser.

On 13 September, controversial vulnerability broker Zerodium announced the Tor zero-day bounty program on Tails, Linux, and Windows. Those who decide to participate in the program, which follows approximately a year after Zerodium offered $1.5 million for an iOS 10 jailbreak, stand to earn as much as $250,000 for achieving remote code execution and local privilege escalation that leads to system compromise while JavaScript is blocked on both operating systems. For just one of the computing platforms, the payout is slightly less at $200,000.

Zerodium’s payouts fall off from there. But even if someone simply demonstrates a RCE flaw without local privilege escalation in either Tails Linux or Windows, they can still hope to collect a reward of $75,000.

Screen shot 2017 09 14 at 8.52.41 am

So what’s the reasoning behind this bug bounty push? Zerodium has the answer:

“While Tor network and Tor Browser are fantastic projects that allow legitimate users to improve their privacy and security on the internet, the Tor network and browser are, in many cases, used by ugly people to conduct activities such as drug trafficking or child abuse. We have launched this special bounty for Tor Browser zero-days to help our government customers fight crime and make the world a better and safer place for all.”

No doubt there are people who abuse Tor for criminal purposes. But to undermine the security of law-abiding, privacy-conscious folks in a bid to make a buck off government actors hardly seems justified.

Sign up to our free newsletter.
Security news, advice, and tips.

Stephani Whited, a spokesperson for Tor, agrees with that sentiment. As she told Motherboard:

“We think it’s in the best interest of all Tor users, including government agencies, for any vulnerabilities to be disclosed to us through our own bug bounty. Over 1.5 million people rely on Tor everyday to protect their privacy online, and for some it’s life or death. Participating in Zerodium’s program would put our most at-risk users’ lives at stake.”

Zerodium’s bounty will last until 30 November 2017 or until it pays out one million dollars in rewards. Let’s hope the firm doesn’t get close to awarding that amount in that span of time. Instead, we hope that security researchers will heed Whited’s words and disclose all vulnerabilities affecting the Tor Browser in a responsible manner. They can do so via the Tor Project’s bug bounty program here.

David Bisson is an infosec news junkie and security journalist. He works as Contributing Editor for Graham Cluley Security News and Associate Editor for Tripwire's "The State of Security" blog.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.