Zerodium Company Offers $500,000 to Buy Linux Zero-Day Vulnerabilities

The acquisition and sale of zero-day vulnerabilities can be said to be a productive business, but many people often overlook it. To better understand its evolution, let us analyse the latest offer from Zerodium, a popular different vulnerability trading platform. Of course, to get a detailed understanding of the company’s operating model and business philosophy, we can directly access their website.

“ZERODIUM pays premium bounties and rewards to security researchers to acquire their original and previously unreported zero-day research affecting major operating systems, software, and devices.” reads the company web sites. “While the majority of existing bug bounty programs accept almost any kind of vulnerabilities and PoCs but pay very low rewards, at ZERODIUM we focus on high-risk vulnerabilities with fully functional exploits, and we pay the highest rewards on the market.”

Like other vulnerability trading platforms, Zerodium acquired zero-day vulnerabilities and sold them to government agencies and law enforcement agencies, but many privacy advocates fear that some surveillance companies may use these vulnerabilities to sell their products to authoritarian governments.

Zerodium offers up to $500,000 in acquisitions for zero-day vulnerabilities on UNIX-based operating systems, including OpenBSD, FreeBSD and NetBSD. The same amount of price is available for zero-day exploits for mainstream Linux distributions such as Ubuntu, CentOS, Debian, and Tails.

The price of a zero-day vulnerability varies by a number of factors, including the market share of the affected platform/system (Windows zero-day vulnerabilities are usually higher than the Linux zero-day vulnerabilities) and the level of user interaction required to exploit the weaknesses (eg , the number of times the user needs to click).

Other factors include the reliability of a zero-day attack, the number of other vulnerabilities that need to be exploited to exploit a weakness, the success rate, and the operating system configuration required to exploit the vulnerability.

Since February of this year, the price increase trend of Linux zero-day vulnerabilities have been maintained, and the purchase price at that time has reached as high as 45,000 US dollars. The company has already shared its latest acquisition plan, although the primary target is still for remote code execution or local privilege escalation vulnerabilities for Linux and BSD systems, the price range and the highest purchase price have been adjusted.

Zerodium’s current purchase price for zero-day vulnerabilities in Linux privilege ranges from $10,000 to $30,000, while the highest purchase price for local privilege escalation (LPE) vulnerabilities in Linux is as high as $100,000. The purchase price for Linux remote code execution vulnerabilities can range from $50,000 to $500,000, with CentOS and Ubuntu zero-day vulnerabilities being what they want most.