Zerodium Will Triple Payouts for RCE Exploits for WordPress CMS
The Company Announced Via Its Social Media Account that Is Temporarily Offering a $300,000 Payout for Remote Code Execution (RCE) Exploits.
Zerodium is an American security company, whose main business is to develop and acquire premium zero-day exploits from security researchers and report the research, along with protective measures and security recommendations, to its government clients.
Last Friday, the organization has reported an increased attentiveness in exploits for the Content Management System (CMS) that attains Remote Code Execution (RCE).
The exploit purchase platform is currently tempting exploit developers and vendors with a $300,000 payout, three times more than the normal cost. The announcement was made via Twitter and stated that the current is not permanent, but no expiration date or motive for the decision was divulged.
We’re temporarily increasing our payouts for WordPress RCEs to $300,000 per exploit (usually $100K).
The exploit must work with latest WordPress, default install, no third-party plugins, no auth, no user interaction!
If you have this gem, contact us: https://t.co/PBuS1nnpED
— Zerodium (@Zerodium) April 9, 2021
As the platform is prepared to pay a zero-click exploit working on a default installation of WordPress (but not for exploits targeting WordPress plugins and third-party themes), both exploit developers and vendors stimulated by the new payout should review their eligibility conditions.
The payouts for working exploits depend on the equilibrium between request and offer, last May, the company announced that some types of iOS exploits weren’t accepted anymore because of surfeit. The firm stated that it took this decision due to the increased number of submissions.
We will NOT be acquiring any new Apple iOS LPE, Safari RCE, or sandbox escapes for the next 2 to 3 months due to a high number of submissions related to these vectors.
Prices for iOS one-click chains (e.g. via Safari) without persistence will likely drop in the near future.
— Zerodium (@Zerodium) May 13, 2020
For example, as is the case with premium exploits, this one must work on a clean set-up of WordPress with the standard configuration and no authentication or user interaction needed.
This indicates that using viruses in third-party plugins, no matter how popular and widespread, makes the exploit unfit.
Zerodium is looking for exclusive zero-day exploits and is open about the payouts it offers, being the first company to issue a pricing chart the same year it started.
During the recent years, the information security company’s list of items increased, obtaining exploits for operating systems and web browsers as well as for web panels and apps, email servers, and also analysis and procedures linked to certain technologies, such as antivirus, mitigation bypasses, Tor deanonymization, WiFi/Baseband, routers).
In addition, Zerodium updated its payouts and stated larger bounties for Android zero-day exploits than for iOS.
Those costs remain valid, with the price for an Android full chain with persistence zero-click exploits reaching up to $2.5 million, compared to the $2 million for the iOS counterpart.