Zerodium

Last updated
Zerodium
Founded2015 (2015)
Headquarters
Washington, D.C.
,
United States
Area served
 Information security
Website www.zerodium.com

Zerodium is an American information security company. The company was founded in 2015 with operations in Washington, D.C., and Europe. The company develops and acquires zero-day exploits from security researchers. It then reports the research, provides protective measures, and makes security recommendations to government clients. Zerodium reports it has paid over 2,000 researchers more than $100,000,000 in bounties between 2015 and 2023. [1]

Contents

History

Zerodium was launched on July 25, 2015 the founders of by Vupen. The company pays bounties for zero-day exploits. A zero-day exploit is a cybersecurity attack that targets security flaws in computer hardware, software or firmware in order to maliciously plant malware, steal data, or damage the program. [2] Bug bounty programs, including Zerodium, pay bounties for knowledge of these security flaws. The programs contract with governments and companies such as Google and Yahoo to alert them of these flaws and cyberattacks. [3] [4]

Zerodium was the first company to release a full pricing chart for zero-days, ranging from $5,000 to $1,500,000 per exploit. [5] The company was reported to have spent between $400,000 to $600,000 per month for vulnerability acquisitions in 2015. [6]

In 2016, the company increased its permanent bug bounty for iOS exploits to $1,500,000. [7]

Zerodium published a new pricing chart exclusively for mobile zero-days ranging from $10,000 to $500,000 per exploit in 2017. The company also announced a time-limited bounty of $1,000,000 for Tor browser exploits. [8]

New products were added by the company in 2018 to its bounty program including cPanel, Webmin, Plesk, Direct Admin, ISP Config, OpenBSD, FreeBSD, and NetBSD. It also then increased its payouts for various software, including a bounty of up to $500,000 for Windows remote code execution exploits. [9]

In January of 2019, Zerodium once again increased its bounties for almost every product including a payout of $2,000,000 for remote iOS jailbreaks; $1,000,000 for WhatsApp, iMessage, SMS, and MMS RCEs; and $500,000 for Chrome exploits. [10]

Fast-forward to September 2019, Zerodium increased its bounty for Android exploits to $2,500,000, and for the first time, the company is paying more for Android exploits than iOS. Payouts for WhatsApp and iMessage have also been increased. The company is now reportedly spending between $1,000,000 to $3,000,000 each month for vulnerability acquisitions. [11]

Its official website claims that Zerodium has more than 2000 researchers as of July 2023 and has launched additionally to its permanent bounties, a time-limited bug bounty program which aims to acquire other zero-day exploits that are not within Zerodium's usual scope or for which the company is temporarily increasing the payouts. [12]

Criticism

Reporters Without Borders criticized Zerodium for selling information on exploits used to spy on journalists to foreign governments. [13]

See also

Related Research Articles

An exploit is a piece of software, a chunk of data, or a sequence of commands that takes advantage of a bug or vulnerability to cause unintended or unanticipated behavior to occur on computer software, hardware, or something electronic. Such behavior frequently includes things like gaining control of a computer system, allowing privilege escalation, or a denial-of-service attack. In lay terms, some exploit is akin to a 'hack'.

<span class="mw-page-title-main">Privilege escalation</span> Gaining control of computer privileges beyond what is normally granted

Privilege escalation is the act of exploiting a bug, a design flaw, or a configuration oversight in an operating system or software application to gain elevated access to resources that are normally protected from an application or user. The result is that an application with more privileges than intended by the application developer or system administrator can perform unauthorized actions.

In computer security, a sandbox is a security mechanism for separating running programs, usually in an effort to mitigate system failures and/or software vulnerabilities from spreading. The isolation metaphor is taken from the idea of children who do not play well together, so each is given his or her own sandbox to play in alone. It is often used to execute untested or untrusted programs or code, possibly from unverified or untrusted third parties, suppliers, users or websites, without risking harm to the host machine or operating system. A sandbox typically provides a tightly controlled set of resources for guest programs to run in, such as storage and memory scratch space. Network access, the ability to inspect the host system, or read from input devices are usually disallowed or heavily restricted.

In computer security, coordinated vulnerability disclosure is a vulnerability disclosure model in which a vulnerability or an issue is disclosed to the public only after the responsible parties have been allowed sufficient time to patch or remedy the vulnerability or issue. This coordination distinguishes the CVD model from the "full disclosure" model.

A zero-day is a vulnerability or security hole in a computer system unknown to its owners, developers or anyone capable of mitigating it. Until the vulnerability is remedied, threat actors can exploit it in a zero-day exploit, or zero-day attack.

<span class="mw-page-title-main">Pwnie Awards</span> Information security awards

The Pwnie Awards recognize both excellence and incompetence in the field of information security. Winners are selected by a committee of security industry professionals from nominations collected from the information security community. Nominees are announced yearly at Summercon, and the awards themselves are presented at the Black Hat Security Conference.

Pwn2Own is a computer hacking contest held annually at the CanSecWest security conference. First held in April 2007 in Vancouver, the contest is now held twice a year, most recently in March 2023. Contestants are challenged to exploit widely used software and mobile devices with previously unknown vulnerabilities. Winners of the contest receive the device that they exploited and a cash prize. The Pwn2Own contest serves to demonstrate the vulnerability of devices and software in widespread use while also providing a checkpoint on the progress made in security since the previous year.

The Java platform provides a number of features designed for improving the security of Java applications. This includes enforcing runtime constraints through the use of the Java Virtual Machine (JVM), a security manager that sandboxes untrusted code from the rest of the operating system, and a suite of security APIs that Java developers can utilise. Despite this, criticism has been directed at the programming language, and Oracle, due to an increase in malicious programs that revealed security vulnerabilities in the JVM, which were subsequently not properly addressed by Oracle in a timely manner.

Vupen Security was a French information security company founded in 2004 and based in Montpellier with a U.S. branch based in Annapolis, Maryland. Its specialty was in discovering zero-day vulnerabilities in software from major vendors in order to sell them to law enforcement and intelligence agencies which use them to achieve both defensive and offensive cyber-operations. Vupen ceased trading in 2015, and the founders created a new company Zerodium.

A bug bounty program is a deal offered by many websites, organizations, and software developers by which individuals can receive recognition and compensation for reporting bugs, especially those pertaining to security exploits and vulnerabilities.

HackerOne is a company specializing in cybersecurity, specifically attack resistance management, which blends the security expertise of ethical hackers with asset discovery, continuous assessment, and process enhancement to find and close gaps in the digital attack surface. It was one of the first companies to embrace and utilize crowd-sourced security and cybersecurity researchers as linchpins of its business model; pioneering bug bounty and coordinated vulnerability disclosure. As of December 2022, HackerOne's network had paid over $230 million in bounties. HackerOne's customers include The U.S. Department of Defense, General Motors, GitHub, Goldman Sachs, Google, Hyatt, Lufthansa, Microsoft, MINDEF Singapore, Nintendo, PayPal, Slack, Twitter, and Yahoo.

POODLE is a security vulnerability which takes advantage of the fallback to SSL 3.0. If attackers successfully exploit this vulnerability, on average, they only need to make 256 SSL 3.0 requests to reveal one byte of encrypted messages. Bodo Möller, Thai Duong and Krzysztof Kotowicz from the Google Security Team discovered this vulnerability; they disclosed the vulnerability publicly on October 14, 2014. On December 8, 2014, a variation of the POODLE vulnerability that affected TLS was announced.

Project Zero is a team of security analysts employed by Google tasked with finding zero-day vulnerabilities. It was announced on 15 July 2014.

The market for zero-day exploits is commercial activity related to the trafficking of software exploits.

<span class="mw-page-title-main">Katie Moussouris</span> American computer security researcher, entrepreneur, and pioneer in vulnerability disclosure

Katie Moussouris is an American computer security researcher, entrepreneur, and pioneer in vulnerability disclosure, and is best known for her ongoing work advocating responsible security research. Previously a member of @stake, she created the bug bounty program at Microsoft and was directly involved in creating the U.S. Department of Defense's first bug bounty program for hackers. She previously served as Chief Policy Officer at HackerOne, a vulnerability disclosure company based in San Francisco, California, and currently is the founder and CEO of Luta Security.

<span class="mw-page-title-main">Benjamin Kunz Mejri</span>

Benjamin Kunz Mejri is a German IT security specialist and penetration tester. His areas of research include vulnerabilities in computer systems, bug bounties, the security of e-payment payment services and privacy protection. Mejri is known for uncovering new zero-day vulnerabilities and making them transparent to the public.

Alisa Shevchenko, professionally known as Alisa Esage, is a Russian-born computer security researcher, entrepreneur and hacker with Ukrainian roots. She is known for working independently with dominant software corporations such as Google and Microsoft to find and exploit security weaknesses in their products; being the first female participant in Pwn2Own, the world's premiere professional hacking competition with significant cash prizes; and being accused by the government of the United States of hacking the presidential elections in 2016.

Ian Beer is a British computer security expert and white hat hacker, currently residing in Switzerland and working for Google as part of its Project Zero. He has been lauded by some as one of the best iOS hackers. Beer was the first security expert to publish his findings under the "Project Zero" name in the spring of 2014; at this time, the project was not yet revealed and crediting the newly discovered vulnerabilities to it led to some speculation.

<span class="mw-page-title-main">Rafay Baloch</span> Pakistani ethical hacker

Rafay Baloch is a Pakistani ethical hacker and security researcher. He has been featured and known by both national and international media and publications like Forbes, BBC, The Wall Street Journal, and The Express Tribune. He has been listed among the "Top 5 Ethical Hackers of 2014" by CheckMarx. Subsequently he was listed as one of "The 15 Most Successful Ethical Hackers WorldWide" and among "Top 25 Threat Seekers" by SCmagazine. Baloch has also been added in TechJuice 25 under 25 list for the year 2016 and got 13th rank in the list of high achievers. Reflectiz, a cyber security company, released the list of "Top-21 Cybersecurity Experts You Must Follow on Twitter in 2021" recognizing Rafay Baloch as the top influencer. On 23 March 2022, ISPR recognized Rafay Baloch's contribution in the field of Cyber Security with Pride for Pakistan award.

Zero Day Initiative (ZDI) is an international software vulnerability initiative that was started in 2005 by TippingPoint, a division of 3Com. The program was acquired by Trend Micro as a part of the HP TippingPoint acquisition in 2015.

References

  1. "ZERODIUM - The Premium Exploit Acquisition Platform". zerodium.com. Retrieved 2024-02-28.
  2. "What is a Zero-Day Exploit? | IBM". www.ibm.com. Retrieved 2024-02-28.
  3. "Google and Alphabet Vulnerability Reward Program (VRP) Rules | Google Bug Hunters". bughunters.google.com. Retrieved 2024-02-28.
  4. "Yahoo! - Bug Bounty Program". HackerOne. Retrieved 2024-02-28.
  5. Andy Greenbrg (18 November 2015). "Here's a Spy Firm's Price List for Secret Hacker Techniques". Wired . Retrieved 26 August 2016.
  6. Sean Michael Kerner (21 September 2015). "Zerodium Offering a $1 Million iOS 9 Bug Bounty". eWeek .[ permanent dead link ]
  7. Lily Hay Newman (29 September 2016). "A Top-Shelf iPhone Hack Now Goes for $1.5 Million". Wired .
  8. Zerodium (13 September 2017). "Tor Browser Zero-Day Exploits Bounty for $1.0 Million".{{cite journal}}: Cite journal requires |journal= (help)
  9. Zerodium (13 September 2018). "Zerodium is increasing its bounties for browsers, servers, mobiles, and more".{{cite journal}}: Cite journal requires |journal= (help)
  10. Zerodium (7 January 2019). "Zerodium is increasing its bounties for iOS to up to $2,000,000".{{cite journal}}: Cite journal requires |journal= (help)
  11. Sophos (9 January 2019). "Zerodium's waving fatter payouts for zero-day bug hunters".{{cite journal}}: Cite journal requires |journal= (help)
  12. Zerodium (5 July 2021). "Zerodium Time Limited Bug Bounties".{{cite journal}}: Cite journal requires |journal= (help)
  13. "RSF unveils 20/2020 list of press freedom's digital predators | Reporters without borders". RSF. 2020-03-10. Retrieved 2021-10-31.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.