A Well-Known Bug Bounty Platform Wants Zero-day Exploits for Windows VPN Clients
Zerodium Is Looking to Buy Zero-day Exploits for Vulnerabilities in Three VPN Service Providers.
Zerodium is a premium bug bounty platform created by cybersecurity specialists with zero-day exploit and vulnerability research experience. The goal of Zerodium is to gather together independent security researchers to give institutional clients the most sophisticated and strong cybersecurity capabilities.
Zerodium stated today in a brief tweet that it is looking to buy zero-day exploits for vulnerabilities in three prominent virtual private networks (VPN) service providers.
We’re looking for #0day exploits affecting VPN software for Windows:
– ExpressVPN
– NordVPN
– SurfsharkExploit types: information disclosure, IP address leak, or remote code execution. Local privilege escalation is out of scope.
Contact us: https://t.co/R6E2CVU9K3
— Zerodium (@Zerodium) October 19, 2021
As my colleague, Cezarina, thoroughly explains, a zero-day exploit refers to the method used by attackers to infiltrate and deploy the malware into a system.
Unintentional flaws, as well as programming mistakes in software programs or operating systems, can lead to vulnerabilities. Vulnerabilities generate security gaps that hackers can exploit if they are not fixed.
By routing your internet connection through the provider’s servers, VPN services allow you to disguise your IP address when accessing resources on the internet, as this type of routing makes it more difficult for third parties to trace your online activities, in this way improving your internet privacy.
The vulnerabilities targeting Windows clients for NordVPN, ExpressVPN, and SurfShark VPN services are of special relevance to Zerodium at the moment, as the vulnerability broker announced.
As reported by BleepingComputer, Zerodium is looking for problems that might expose information about users, their IP addresses, and vulnerabilities that could be exploited to execute malware remotely, but local privilege escalation is one sort of vulnerability that the broker does not want.
Why Does Zerodium Want the Zero-Day Exploits?
The rationale for the exploit broker’s disclosure is unknown, but one possibility is that government customers want a means to detect cybercrime hidden behind VPN services.
Government institutions, especially from Europe and North America, who require advanced zero-day vulnerabilities and cybersecurity skills make up Zerodium’s customer base.
Only a limited number of government clients have access to obtained zero-day research, according to the firm, which is guided by ethics and picks customers based on stringent criteria and screening processes.
Zerodium announced a temporary boost in payouts for Chrome vulnerabilities earlier this year and offered $1,000,000 for remote code execution (RCE) and sandbox escape exploit (SBX).
It’s interesting to note as well that for both mobile and desktop platforms, Zerodium offers payments for any operating system. Windows, macOS, LinuxBSD, iOS, and Android are the most popular.