Os pesquisadores não são encorajados a encontrar falhas de dia zero no navegador Tor. Um novo programa é lançado por Zerodium, o infame revendedor de exploit privado, que promete recompensas de até 1$ milhão. All a researcher has to do is to disclose a previously unknown flaw for the browser on Windows and Tails Linux distribution, and report it prior to November 30, 2017.
Researchers willing to contribute to the program should also note that if the company gets what it wants before the given deadline, the program might be closer earlier.
Zerodium’s Rules to Qualify for the Bug Bounty Program
For those willing to participate, there are certain rules to be considered. Em primeiro lugar, the research should rely on exclusive, unknown unreported and unpublished zero-day exploits. It should also be able to circumvent all exploit mitigations suited for each target category, Zerodium explains.
The exploit in question should be fully functional and reliable, and linking to remote code execution on the operating system, either with privileges of the current user or with unrestricted root/SYSTEM privileges. Isso não é tudo. The whole process of exploitation should be carried out in a silent manner, where no message or popup is triggered. No user interaction should be needed except visiting a web page.
Attack vectors relying on opening a document are not eligible. Zerodium, Contudo, may make a distinct offer for such an exploit. por fim, exploits that cause disruption of the Tor Network are not acceptable, as well as exploits requiring manipulation of Tor nodes.
Why launching this bug bounty? To help the government.
“We have launched this special bounty for Tor Browser zero-days to help our government customers fight crime and make the world a better and safer place for all,” Zerodium says.
Curiosamente, back in July this year, Tor initiated its own bug bounty program to prevent the identity of Tor used from being revealed.