Zerodium, a US-based company that serves government clients and promises big bounties, now is looking to zero-day exploits for the most popular VPN services.
Zerodium is now looking to acquire exploits for three highly-rated and popular virtual private network (VPN) service providers - NordVPN, ExpressVPN, and Surfshark.
Zerodium tweeted that it is looking for #0day exploits affecting VPN software for Windows. Exploit types: information disclosure, IP address leak, or remote code execution.
In everyday use, the term VPN usually defines a service that lets you bypass censorship, access blocked content, or simply increase online privacy. NordVPN, ExpressVPN, and Surfshark are among the most popular and high-rated VPN service providers worldwide.
The company did not specify how much it is willing to pay for the exploits. Still, it brags it is paying not bug bounties but “BIG bounties” to security researchers for their original and previously unreported zero-day research.
Zerodium claims to be focusing on high-risk vulnerabilities with fully functional exploits, and they pay up to $2,5 million per submission.
The company states that its customers are government institutions mainly from Europe and North America “in need of advanced zero-day exploits and cybersecurity capabilities.”
It also declares that it takes ethics very seriously and chooses its customers very carefully “through a very strict due diligence and vetting process.” But Zerodium does not specify what constitutes their ethics.
According to Zerodium, access to “acquired zero-day research is highly restricted and is limited to a very small number of government clients.” No further information on their clients is available on their site.
Zerodium was founded by vulnerability and exploit broker Chaouki Bekrar in 2015. Before that, he was running VUPEN, employing researchers to do original investigations and develop exploits for existing bugs.
In an interview with Threatpost in 2015, Bekrar claimed: “We only sell to democracies. We respect international regulations, of course, and we only sell to trusted countries and trusted democracies. We do not sell to oppressive countries.”
Another publication by the Threatpost in 2013 revealed that the US National Security Agency (NSA) bought VUPEN’s services on Sept. 14, 2012. The NSA contract is for a one-year subscription to the company’s “binary analysis and exploits service.”
More from CyberNews:
Subscribe to our newsletter