Researchers are not encouraged to find zero-day flaws in the Tor Browser. A new program is launched by Zerodium, the infamous private exploit reseller, which is promising rewards of up to 1$ million. All a researcher has to do is to disclose a previously unknown flaw for the browser on Windows and Tails Linux distribution, and report it prior to November 30, 2017.
Researchers willing to contribute to the program should also note that if the company gets what it wants before the given deadline, the program might be closer earlier.
“With the increased number (and effectiveness) of exploit mitigations on modern systems, exploiting browser vulnerabilities is becoming harder every day, but still, motivated researchers are always able to develop new browser exploits despite the complexity of the task, thanks to their skills and a bit of scripting languages such as JavaScript,” Zerodium stated recently.
Zerodium’s Rules to Qualify for the Bug Bounty Program
For those willing to participate, there are certain rules to be considered. First and foremost, the research should rely on exclusive, unknown unreported and unpublished zero-day exploits. It should also be able to circumvent all exploit mitigations suited for each target category, Zerodium explains.
The initial attack vector must be a web page targeting the latest versions of Tor Browser, both stable and experimental. The specification here is that the configuration should be non-default or hardened, with JavaScript blocked for all websites. The default configuration may also be used.
The exploit in question should be fully functional and reliable, and linking to remote code execution on the operating system, either with privileges of the current user or with unrestricted root/SYSTEM privileges. That’s not all. The whole process of exploitation should be carried out in a silent manner, where no message or popup is triggered. No user interaction should be needed except visiting a web page.
Attack vectors relying on opening a document are not eligible. Zerodium, however, may make a distinct offer for such an exploit. Lastly, exploits that cause disruption of the Tor Network are not acceptable, as well as exploits requiring manipulation of Tor nodes.
Why launching this bug bounty? To help the government.
“We have launched this special bounty for Tor Browser zero-days to help our government customers fight crime and make the world a better and safer place for all,” Zerodium says.
Interestingly, back in July this year, Tor initiated its own bug bounty program to prevent the identity of Tor used from being revealed.