Zero-day-acquisition firm Zerodium reported it will pay a total of US$ 1 million (£740,000) for zero day exploits found for the Tor browser on Tails Linux and Windows.
The bounty, which runs until 30 November 2017, covers several different exploits for which Zerodium is specifically searching and the company has set several bars that must be met to receive payment:
- The research being unknown, unpublished and unreported zero days.
- The initial attack vector must be a web page targeting the latest versions of Tor Browser.
- The exploit must be fully functional, reliable, and leading to remote code execution on the targeted OS either with privileges of the current user or with unrestricted root/SYSTEM privileges.
- The whole exploitation process should be achieved silently, without triggering any message or popup, and without requiring any user interaction except visiting a web page.