Zerodium increasing Tor Zero-Day bounties. Government requested exploits?

[WMGroomAK]

While perusing Bleeping Computers this morning, I saw this article and thought it was interesting and a little bit disconcerting if Zerodium is truly ding this at some governmental request...  Essentially, Zerodium has set aside $1,000,000 for a Zero-day bounty program for being able to find security exploits in the Tor Browser to provide Remote Code Execution & Local Privilege Escalation on Linux Tails 3.X & Windows 10 RS2/3.  

https://www.bleepingcomputer.com/news/security/exploit-broker-zerodium-offers-1-million-for-tor-browser-zero-days/

Quote

In a bug acquisition program launched today, the company says it's interested in Tor Browser exploits that "[lead] to remote code execution on the targeted OS either with privileges of the current user or with unrestricted root/SYSTEM privileges."

The company said it's searching for exploits that work on Tails — a privacy-hardened version of Linux — and Windows.

The exploit broker is interested in high-complexity exploits that do not require user interaction or show any errors or popups. Zerodium said it's looking for zero-days that require users only to visit a web page.

The company is not picky, accepting zero-days that work against Tor Browser instances running with security settings set to "high" (JavaScript disabled) or security settings set to "low" (default Tor Browser configuration).

Zerodium has been running an exploit acquisition programs for years, and lists two price tables on its website, for desktop/server-related exploits, and for app/mobile-related zero-days.

In a FAQ section on its website, Zerodium says it launched this special Tor Browser zero-day acquisition program in response to government agencies looking for tools that deanonymize Tor users.

"The Tor network and browser are, in many cases, used by ugly people to conduct activities such as drug trafficking or child abuse," Zerodium explains. "We have launched this special bounty for Tor Browser zero-days to help our government customers fight crime and make the world a better and safer place for all."

As a result, the company has set aside a budget of $1,000,000 that it will use to pay zero-days submitted during this urgent run on Tor Browser exploits. Once the budget is exhausted, the company will revert to the old prices, which aren't that small either, far above what official bug bounty programs pay out.

While I have no doubts that many criminals end up using Tor Browser to conduct illicit activities, it is also used in countries that have oppressive governments by people who are trying to raise awareness about things like human rights violations. 

 

Zerodium Program page: https://zerodium.com/tor.html

Quote

With the increased number (and effectiveness) of exploit mitigations on modern systems, exploiting browser vulnerabilities is becoming harder every day, but still, motivated researchers are always able to develop new browser exploits despite the complexity of the task, thanks to their skills and a bit of scripting languages such as JavaScript. Today, ZERODIUM sets the bar even higher with a new technical challenge: develop a fully functional zero-day exploit for Tor Browser with JavaScript BLOCKED! Exploits for Tor Browser with JavaScript allowed are also accepted/eligible but have lower payouts (see below).