Zerodium increases Outlook zero-click bug bounty to $400,000

The US security company Zerodium has announced that it will increase the Microsoft Outlook zero-click vulnerability bounty from the original $250,000 to a maximum of $400,000. Of course, don’t think that the company is helping Microsoft improve product security. In fact, this so-called security company collects vulnerabilities and then sorts them out for sale. For example, the company has previously announced a public solicitation for iOS zero-click vulnerabilities from researchers and hackers around the world, with a maximum reward of $2 million for exploiting chain vulnerabilities.

Microsoft Outlook is one of the most used email clients in the world, and its huge user base has opened up opportunities for organizations with shady motives. At present, Zerodium has announced that the zero-click bug bounty for this software has been temporarily increased from $250,000 to a maximum of $400,000, provided that the bug can be triggered by zero-click. The so-called zero-click vulnerability means that no user interaction is required. For example, the Pegasus spyware from NSO Group can infect iOS devices with zero clicks.  Zerodium requires the target user to receive or download the email to trigger the vulnerability. If the user is required to click to open the email or attachment, the vulnerability reward will be reduced. The company also announced a $200,000 bounty for Mozilla’s open-source email client Thunderbird, also for finding potential zero-click exploits.

Zerodium operates by collecting bugs from researchers and hackers to expand its library of bugs and then sells the compiled bugs to certain governments. These national government agencies then use security vulnerabilities to launch unseen attacks on target users, which are essentially no different from the notorious NSO group. Public information shows that Zerodium has paid out more than $50 million in bounties since 2015, and has acquired and successfully sold numerous exploits.