Zerodium puts out $100,000 contract on Flash's heap isolation

News by Max Metzger

The bug bounty broker Zerodium has offered big bucks to whoever can crack Flash's recent heap isolation security update.

Bug bounty broker Zerodium has issued yet another bounty, this time for Adobe's Flash Player and has set the reward at $100,000.

This particular bounty was announced yesterday over Twitter, when @zerodium announced that the big bounty of $100,000 (£60,000) would be paid out only for a bypass of the Flash Player heap isolation with a sandbox escape. The meagre sum of only $65,000 would be paid out without that sandbox escape.

This challenge has been mounted just after Adobe's infamously hole ridden product was updated with a number of security enhancements, developed with assistance from Microsoft and Google.

Flash is not blessed with a great security record. Facebook ditched Flash late last year for better security when watching video on the social media platform. Security giant, Brian Krebs piled in last September, encouraging readers to “strongly consider removing it, or at least hobbling it until and unless you need it.” Plagued by its bad reputation, Adobe has gone about plugging up its holes.

Specifically, heap isolation deals with the way Flash separates data processes inside the memory.  By ‘isolating' parts of that memory, the company has attempted to stop adversaries from performing a wide range of attacks. It's this new development in Flash that Zerodium wants cracked.

The world of bug bounties, much like the larger world of cyber-security, sits in what might be seen as a legally or morally grey area. Zerodium, and companies like it, offer ‘contracts' on vulnerabilities within software with a nice fat reward for the lucky person who manages to find those vulnerabilities. 

Those people can be white hatted pen-testers or black-hatted cyber-crims and in fact, they're often somewhere in between. Considering that fact, bug bounties are often fulfilled anonymously. While these bounties are often put out by the software developers themselves, as if to somehow say ‘come at me, bro', bug bounty brokers like Zerodium act as a middle point, buying the exploit and often selling them onto government or other interested parties.

In a moment of candour, Zerodium also released a price list, which shows exactly what the start-up will pay out for what exploit on what platform. The list runs from up to $5000 for a remote code exploit of WordPress to $500,000 for a Remote Jailbreak of Apple's iOS.

Zerodium are famous for among other things issuing, and paying out a $1 million bounty on anyone who could find a zero-day exploit for iOS9 late last year. Apple had no comment for, nor did Zerodium or Adobe at the time of publication.


Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews