A company is offering up to one million dollars in bounties for anyone who finds and reports exploitable zero-day flaws in the Tor Browser.
On 13 September, controversial vulnerability broker Zerodium announced the Tor zero-day bounty program on Tails, Linux, and Windows. Those who decide to participate in the program, which follows approximately a year after Zerodium offered $1.5 million for an iOS 10 jailbreak, stand to earn as much as $250,000 for achieving remote code execution and local privilege escalation that leads to system compromise while JavaScript is blocked on both operating systems. For just one of the computing platforms, the payout is slightly less at $200,000.
Zerodium’s payouts fall off from there. But even if someone simply demonstrates a RCE flaw without local privilege escalation in either Tails Linux or Windows, they can still hope to collect a reward of $75,000.
So what’s the reasoning behind this bug bounty push? Zerodium has the answer:
“While Tor network and Tor Browser are fantastic projects that allow legitimate users to improve their privacy and security on the internet, the Tor network and browser are, in many cases, used by ugly people to conduct activities such as drug trafficking or child abuse. We have launched this special bounty for Tor Browser zero-days to help our government customers fight crime and make the world a better and safer place for all.”
No doubt there are people who abuse Tor for criminal purposes. But to undermine the security of law-abiding, privacy-conscious folks in a bid to make a buck off government actors hardly seems justified.
Stephani Whited, a spokesperson for Tor, agrees with that sentiment. As she told Motherboard:
“We think it’s in the best interest of all Tor users, including government agencies, for any vulnerabilities to be disclosed to us through our own bug bounty. Over 1.5 million people rely on Tor everyday to protect their privacy online, and for some it’s life or death. Participating in Zerodium’s program would put our most at-risk users’ lives at stake.”
Zerodium’s bounty will last until 30 November 2017 or until it pays out one million dollars in rewards. Let’s hope the firm doesn’t get close to awarding that amount in that span of time. Instead, we hope that security researchers will heed Whited’s words and disclose all vulnerabilities affecting the Tor Browser in a responsible manner. They can do so via the Tor Project’s bug bounty program here.