Researchers are not encouraged to find zero-day flaws in the Tor Browser. A new program is launched by Zerodium, the infamous private exploit reseller, which is promising rewards of up to 1$ million. All a researcher has to do is to disclose a previously unknown flaw for the browser on Windows and Tails Linux distribution, and report it prior to November 30, 2017.
Researchers willing to contribute to the program should also note that if the company gets what it wants before the given deadline, the program might be closer earlier.
Zerodium’s Rules to Qualify for the Bug Bounty Program
For those willing to participate, there are certain rules to be considered. First and foremost, the research should rely on exclusive, unknown unreported and unpublished zero-day exploits. It should also be able to circumvent all exploit mitigations suited for each target category, Zerodium explains.
The exploit in question should be fully functional and reliable, and linking to remote code execution on the operating system, either with privileges of the current user or with unrestricted root/SYSTEM privileges. That’s not all. The whole process of exploitation should be carried out in a silent manner, where no message or popup is triggered. No user interaction should be needed except visiting a web page.
Attack vectors relying on opening a document are not eligible. Zerodium, however, may make a distinct offer for such an exploit. Lastly, exploits that cause disruption of the Tor Network are not acceptable, as well as exploits requiring manipulation of Tor nodes.
Why launching this bug bounty? To help the government.
“We have launched this special bounty for Tor Browser zero-days to help our government customers fight crime and make the world a better and safer place for all,” Zerodium says.
Interestingly, back in July this year, Tor initiated its own bug bounty program to prevent the identity of Tor used from being revealed.