Sep 13, 2017 8:07 AM PT

$1M bounty offered for zero-day exploits targeting Tor Browser

Exploit broker Zerodium offered to pay $1 million in bounties for zero-day exploits that work when JavaScript is disabled for Tor Browser on Tails Linux and Windows.

Whether you use the anonymized browsing of Tor to protect your privacy, to get around censorship, or to shop on the Dark Web, you likely won’t be pleased to know a big red target has been painted on Tor after an exploit broker offered to pay $1 million for zero-day exploits targeting the Tor Browser on Tails Linux and Windows. Those zero-days will be sold to Johnny Law working in the government sector.

Exploit broker Zerodium announced today that it will pay $1 million in bounties for previously unknown exploits targeting Tor Browser.

According to the Tor Browser Bounty program:

Zerodium will pay a total of one million U.S. dollars ($1,000,000) in rewards to acquire zero-day exploits for Tor Browser on Tails Linux and Windows. The bounty is open until November 30th, 2017 at 6:00pm EDT, and may be terminated prior to its expiration if the total payout to researchers reaches one million U.S. dollars ($1,000,000).

While Zerodium did note that the Tor network and Browser are used by people to improve their privacy and security, it added that many times it is “used by ugly people to conduct activities such as drug trafficking or child abuse. We have launched this special bounty for Tor Browser zero-days to help our government customers fight crime and make the world a better and safer place for all.”

People trying to qualify for the premium bounty are asked to develop a zero-day exploit for Tor Browser with JavaScript blocked, which is an option via NoScript that comes bundled with Tor Browser. JavaScript-blocking via NoScript is not enabled by default, so users had to take the extra security step to block it.

In the words of Zerodium:

Today, Zerodium sets the bar even higher with a new technical challenge: develop a fully functional zero-day exploit for Tor Browser with JavaScript BLOCKED! Exploits for Tor Browser with JavaScript allowed are also accepted/eligible but have lower payouts.

According to the fine print, Zerodium wants only fully functional exploits that lead “to remote code execution on the targeted OS either with privileges of the current user or with unrestricted root/SYSTEM privileges.” The exploit process must be silent and invisible to the user, require no user interaction, and trigger no warning messages or popups.

How much for zero-day exploits targeting Tor Browser on Tails and Windows 10?

The biggest payouts will be for zero-day exploits that work on Tor Browser on Tails 3.x (64bit) and on Windows 10 RS3/RS2 (64bit). If the exploit works with JavaScript blocked and leads to remote code execution (RCE) and local privilege escalation (LPE) to the root/system, then the payout is $250,000. If the exploit works with JavaScript blocked and only leads to remote code execution, then the payout is $185,000.

If the zero-day works only on boxes that allow JavaScript, then it is worth $125,000 if it leads to RCE and LPE, or $85,000 for only RCE.

How much for zero-day exploits targeting Tor Browser on Tails or Windows 10?

Zero-day exploits targeting Tor Browser on Tails 3.x (64bit) or on Windows 10 RS3/RS2 (64bit), but work if JavaScript is disabled, could equal a payout of $200,000 if it leads to RCE and LPE; you get $175,000 if the exploit leads to RCE only.

If the exploit works on boxes with the lower security settings due to having JavaScript enabled yet leads to RCE and LPE, then it is worth $100,000; $75,000 is the bounty reward if it leads to only RCE.

The Washington, D.C.-based Zerodium, founded by former Vupen co-founder Chaouki Bekrar in 2015, upped the payout for zero-day vulnerabilities targeting secure messaging apps in August. The exploit broker said it would pay $500,000 for fully functional attacks that worked against WhatsApp, Signal, Telegram, Facebook Messenger, iMessage, Viber, WeChat and others, as well as zero-days targeting mobile email apps.

Exploit brokers like Zerodium offer a bigger bounty reward than most vendors, yet the affected vendors are not notified about the vulnerabilities; that way, the zero-day doesn’t get patched. The brokers claim to sell the zero-day exploits to only vetted government organizations, but there’s not much transparency or oversight. In the past, journalists, dissidents and others have been targeted by government customers who can cough up the funds.