Secure Messaging Apps Zero-Day Exploits
How much does your privacy cost?

It will soon be sold for half a Million US dollars.

A controversial company specialises in acquiring and reselling zero-day exploits is ready to pay up to US$500,000 for working zero-day vulnerabilities targeting popular secure messenger applications, such as Signal, Telegram and WhatsApp.

Zerodium announced a new pricing structure on Wednesday, paying out $500,000 for fully functional remote code execution (RCE) and local privilege escalation (LPE) vulnerabilities in Signal, WhatsApp, iMessage, Viber, Facebook Messenger, WeChat, and Telegram.

The payouts for all these secure messengers have been increased after tech companies introduced end-to-end encryption in their apps, making it more difficult for anyone to compromise their messaging platforms.

The same payout is offered for remote code execution and local privilege escalation security flaws in default mobile email applications.

Launched in 2015, Zerodium is a Washington, DC-based premium exploit acquisition platform by the infamous French-based company Vupen that buys and sells zero-day exploits to government agencies around the world.

The maximum bounty offered by the company remains for Apple's iOS devices with $1.5 million offered to anyone who can pull off a remote jailbreak of iOS devices without any user interaction, and $1 million for those that require user interaction.
Secure Messaging Apps Zero-Day Exploits
This payout was set last year when Zerodium raised the price for a remote iOS 10 jailbreaks from $1 Million to $1.5 Million, which is more than seven times what Apple is offering (up to $200,000) for iOS zero-days via its bug bounty program.

Zerodium Zero-Day Hit-list:

Zerodium's payout for other new exploit categories for servers and desktop computers include:
  • Up to $300,000 for a Windows 10 exploit that requires no user interaction
  • Up to $150,000 for Apache Web Server
  • Up to $100,000 for Microsoft Outlook
  • Up to $80,000 for Mozilla Thunderbird
  • Up to $80,000 for VMware escapes
  • Up to $30,000 for USB code execution
Zerodium has also raised the prices the company will pay for a range of other exploits, which include:
  • Chrome RCE and LPE for Windows—from $80,000 to $150,000
  • PHP Web programming language RCE—from $50,000 to $100,000
  • RCE in OpenSSL crypto library used to implement TLS—from $50,000 to $100,000
  • Microsoft Exchange Server RCE—from $40,000 to $100,000
  • RCE and LPE in the TOR version of Firefox for Linux—from $30,000 to $100,000
  • RCE and LPE in the TOR version of Firefox for Windows—from $30,000 to $80,000
The zero-day market has long been a lucrative business for private firms that regularly offer more payouts for undisclosed security vulnerabilities than big technology companies.

Hackers will get the payout within a week of submitting the zero-day vulnerabilities along with a working proof-of-concept, though we recommend you to submit them to the affected vendors because it's a matter of time when some black hat finds and uses them against you and wide audience.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.