A cybersecurity company has offered bounties of up to 1 million US dollars for Tor Browser 0-day vulnerabilities. Zerodium's Tor 0-day bounty program is open until November 30th at 6pm Eastern, or until Zerodium terminates the program after having issued 1 million dollars for Tor 0-days. The company has stated that it plans to sell these zero day exploits to government agencies, such as law enforcement agencies. In the United States, zero day exploits have been hoarded and used by intelligence agencies such as the NSA and the CIA. Earlier this year the government dropped charges against child pornography suspects when the FBI decided to not disclose a zero day exploit it was using against the Tor network.
"While Tor network and Tor Browser are fantastic projects that allow legitimate users to improve their privacy and security on the internet, the Tor network and browser are, in many cases, used by ugly people to conduct activities such as drug trafficking or child abuse. We have launched this special bounty for Tor Browser zero-days to help our government customers fight crime and make the world a better and safer place for all," Zerodium writes in their FAQ for the Tor 0-Day Bounty program. Zero day vulnerabilities that would require "control or manipulation of Tor nodes" as well as "exploits/attacks that would cause disruption of legitimate use of the Tor network" will not be accepted by Zerodium.
The exploit must be capable of being deployed through a simple web page, and must attack the current stable release and experimental release of the Tor Browser. The exploit must not require any interaction from a victim, other than getting them to load the infected web page. The company is looking for zero day exploits that affect the Tor Browser in its highest security setting, with JavaScript disabled, as well as zero day exploits which affect the Tor Browser in its default low security setting, where JavaScript is enabled. The exploits Zerodium is looking for must allow the attacker to remotely execute code and allow the attacker to gain the same privileges as the user account or allow the attacker to gain unrestricted root privileges. Exploits which require the victim to interact with a popup message, or to download and open a document are not eligible under the million dollar bounty program, but Zerodium claims they reserve the right to make separate financial offers to hackers and security researchers who are offering such exploits.
Zero day exploits which work on both Tails 3 and Windows 10, allow remote code execution as well as local privilege escalation, and can function under Tor's highest security settings with JavaScript disabled can fetch up to $250,000 US dollars. Zero days which work on both Tails and Windows 10 but only allow remote code execution under Tor's highest security setting can fetch up to $185,000 US dollars. Zero day exploits which allow remote code execution and local privilege escalation under Tor's highest security setting, but only work on one operating system, such as only on Windows 10 or only on Tails 3. Zero day exploits which function under Tor's lowest security setting, which allows the execution of JavaScript, can fetch anywhere from $75,000 to $125,000 US dollars. The company intends to keep accepting zero day exploits for Tor even after their million dollar bounty program ends.
The bounties will be paid through bank transfers or through Bitcoin. The company is specifically looking for exploits that work on Tor running on Tails 3.x or Windows 10. Earlier this year Zerodium introduced a half a million US dollar bounty for 0-day exploits for encrypted messaging apps Signal, WhatsApp, Facebook Messenger, that allow for remote code execution and local privilege escalation. In July of this year the Tor Project itself launched their own bug bounty program. Late last year a zero day exploit for the Tor Browser was being used to de-anonymize users. That exploit was said to be nearly identical to a zero day exploit deployed by the FBI against Tor users in 2013.