Zerodium Offers $1M for Tor Browser Zero-Day Exploits

204
Exploit found with magnifying glass
Zerodium, a bug bounty company, is offering up to $1million for sharing zero-day vulnerabilities in the Tor browser.

Zerodium has made a new announcement that it will offer a huge sum for zero-days exploits on the Tor browser platform, and the amount could be as high as $1million.

It is possible that the United States Department of Justice or the Federal Bureau of Investigation (or even both jointly) have found an effective way of pursuing the users of darknet sites via the Tor browser.

Your TOR usage is being watched

The majority of transactions on this anonymity browser are understood to be illegal, such as dealing drugs, arms, stolen goods, and so on.

There are also sites that sell stolen data like passwords and credit card information, and many attempts have been made by the law enforcement agencies to shut down some of these dark web marketplaces.

Phenomenal Sums Offered

Just last month, Zerodium offered half a million dollars in bug bounty for detecting zero-days vulnerabilities in top messaging apps such as WhatsApp.

Even at that time, the company had stated that it was working on behalf of certain unnamed government agencies.

It was then speculated that since many of these messaging apps are being used by terrorists and other criminals exploiting the end-to-end encryption of the messages, the law enforcement agencies were keen to break into the programs and gain access to such elements’ activities.

In the same way, this announcement of rewards of up to $1 million for detecting and demonstrating vulnerabilities in the Tor browser can be seen as an attempt to gain access to these encrypted sites.

Different Conditions Imposed

The latest Zerodium bug bounty program comes with specific conditions for the researchers.

Read >>
Darknet Markets Increasingly Turn to Bug Bounty Programs

At the broad level, it says the zero-days exploits need to be fresh or hitherto unknown, and also fully functional. This means if the loophole is already plugged, then the reward may not be payable.

Additionally, the bugs have to be found on the Tor browser running on the Windows 10 or Tails Linux platforms.

The slabs offered include a $250,000 bug bounty reward for code execution plus local privilege bugs on both the platforms, Linux and Windows combined.

If details of the Tor browser bugs are shared only on either one of these, then the amount comes down to $200,000.

Zerodium further drops these figures if the system allows JavaScript to be run, and other processes similar to it.

These figures could be $185,000, $125,000 and $85,000 under different conditions.

Zerodium’s Transparency is Questionable

WHITE HAT HACKER
Zerodium’s white hat operation is quite different from others.

The only issue experts see in the way Zerodium operates its bounty programs is that it does not get back to the owner of the site and share the vulnerabilities it has obtained through this program.

Instead, it claims to work for government agencies and passes the information over to them.

This is not the way most white hat operators function.

Usually, they would either locate a bug themselves or collect by paying bug bounty and then immediately alert the sites to ensure that the vulnerability is solved through security patches.

To the defense of Zerodium, the Tor browser project could be treated as a special case where it is the users of the sites who are trying to hide their identities and carrying illegal activities.

Read >>
Snowden Says Petraeus Shared More Sensitive Info Than He Ever Did

And if the zero-days exploits help track them down, the program could be in the larger public interest.

Tor Browser Supposedly Safe & Secure

The latest bounty offering of $1million has a direct bearing on the thousands of people who trade anonymously within the Tor browser platform, in the hope that their real identities and the details of their transactions and funds cannot be traced back.

Tor has responded to this concern by claiming that their browser is absolutely safe.

It’s possible that the very fact that such high amounts are being offered to crack the browser is itself an indication that it’s not easy to find vulnerabilities in the program.

But recent events have shown that it is not impossible to crack into the dark web.

Agencies working on this have managed to find their way in and pose decoy transactions in order to trace the vendors through the delivery mechanisms they employ, like post offices or courier companies.

Even arrests have been made in the U.S. of people peddling drugs on sites like AlphaBay, especially after the darknet market was shut down a few months ago.

Zerodium may still succeed in its efforts in locating zero-days exploits and vulnerabilities.

The current program will run through November 30 or until the full bounty of $1million is claimed—whichever happens first.

Write for us

Disclaimer:

The articles and content found on Dark Web News are for general information purposes only and are not intended to solicit illegal activity or constitute legal advice. Using drugs is harmful to your health and can cause serious problems including death and imprisonment, and any treatment should not be undertaken without medical supervision.

Zerodium Offers $1M for Tor Browser Zero-Day Exploits,
Read >>
What is Tor and Should You Use It?
0 / 5 ( votes)