Zerodium is an American security company, whose main business is to develop and acquire premium zero-day exploits from security researchers and report the research, along with protective measures and security recommendations, to its government clients.

Last Friday, the organization has reported an increased attentiveness in exploits for the Content Management System (CMS) that attains Remote Code Execution (RCE).

The exploit purchase platform is currently tempting exploit developers and vendors with a $300,000 payout, three times more than the normal cost. The announcement was made via Twitter and stated that the current is not permanent, but no expiration date or motive for the decision was divulged.

As the platform is prepared to pay a zero-click exploit working on a default installation of WordPress (but not for exploits targeting WordPress plugins and third-party themes), both exploit developers and vendors stimulated by the new payout should review their eligibility conditions.

The payouts for working exploits depend on the equilibrium between request and offer, last May, the company announced that some types of iOS exploits weren’t accepted anymore because of surfeit. The firm stated that it took this decision due to the increased number of submissions.

For example, as is the case with premium exploits, this one must work on a clean set-up of WordPress with the standard configuration and no authentication or user interaction needed.

This indicates that using viruses in third-party plugins, no matter how popular and widespread, makes the exploit unfit.

Zerodium is looking for exclusive zero-day exploits and is open about the payouts it offers, being the first company to issue a pricing chart the same year it started.

Zerodium prices for desktop and and mobiles


During the recent years, the information security company’s list of items increased, obtaining exploits for operating systems and web browsers as well as for web panels and apps, email servers, and also analysis and procedures linked to certain technologies, such as antivirus, mitigation bypasses, Tor deanonymization, WiFi/Baseband, routers).

In addition, Zerodium updated its payouts and stated larger bounties for Android zero-day exploits than for iOS.

Those costs remain valid, with the price for an Android full chain with persistence zero-click exploits reaching up to $2.5 million, compared to the $2 million for the iOS counterpart.

Over 7 Million Websites Affected by Popular WordPress Plugin

Patch Tuesday (October 2020): Microsoft Fixes Wormable Remote Code Execution Vulnerability

Leave a Reply

Your email address will not be published. Required fields are marked *