Whether you use the anonymized browsing of Tor to protect your privacy, to get around censorship, or to shop on the Dark Web, you likely won’t be pleased to know a big red target has been painted on Tor after an exploit broker offered to pay $1 million for zero-day exploits targeting the Tor Browser on Tails Linux and Windows. Those zero-days will be sold to Johnny Law working in the government sector.
Exploit broker Zerodium announced today that it will pay $1 million in bounties for previously unknown exploits targeting Tor Browser.
According to the Tor Browser Bounty program:
Zerodium will pay a total of one million U.S. dollars ($1,000,000) in rewards to acquire zero-day exploits for Tor Browser on Tails Linux and Windows. The bounty is open until November 30th, 2017 at 6:00pm EDT, and may be terminated prior to its expiration if the total payout to researchers reaches one million U.S. dollars ($1,000,000).
While Zerodium did note that the Tor network and Browser are used by people to improve their privacy and security, it added that many times it is “used by ugly people to conduct activities such as drug trafficking or child abuse. We have launched this special bounty for Tor Browser zero-days to help our government customers fight crime and make the world a better and safer place for all.”
In the words of Zerodium:
According to the fine print, Zerodium wants only fully functional exploits that lead “to remote code execution on the targeted OS either with privileges of the current user or with unrestricted root/SYSTEM privileges.” The exploit process must be silent and invisible to the user, require no user interaction, and trigger no warning messages or popups.
How much for zero-day exploits targeting Tor Browser on Tails and Windows 10?
How much for zero-day exploits targeting Tor Browser on Tails or Windows 10?
The Washington, D.C.-based Zerodium, founded by former Vupen co-founder Chaouki Bekrar in 2015, upped the payout for zero-day vulnerabilities targeting secure messaging apps in August. The exploit broker said it would pay $500,000 for fully functional attacks that worked against WhatsApp, Signal, Telegram, Facebook Messenger, iMessage, Viber, WeChat and others, as well as zero-days targeting mobile email apps.
Exploit brokers like Zerodium offer a bigger bounty reward than most vendors, yet the affected vendors are not notified about the vulnerabilities; that way, the zero-day doesn’t get patched. The brokers claim to sell the zero-day exploits to only vetted government organizations, but there’s not much transparency or oversight. In the past, journalists, dissidents and others have been targeted by government customers who can cough up the funds.