Even as top messaging apps make their best efforts to convince the public at large that their platforms are absolutely secure, there are organized groups that are ready to offer huge cash rewards to those who can detect vulnerabilities.
This is particularly helpful if zero-day vulnerabilities are detected and conveyed to agencies like Zerodium, and such a disclosure could earn the researcher incredible rewards.
Zerodium has announced that it’s willing to pay up to $500,000 to those who can detect vulnerabilities in popular messaging apps like WhatsApp, Facebook Messenger, Telegram, iMessage, WeChat, Viber and a few others.
Exploiting the Weakness Before the Service Provider Can Act on Them
There are white-hat hackers whose genuine objective is to make software programs bug-free—when they come across any serious vulnerabilities, they inform the company’s development team.
The bugs are then fixed and the updates and patches released to the end users.
But agencies like Zerodium do not follow this path. Their aim could be different, though officially they claim to be operating private bug-bounty programs.
On the first part, Zerodium does not believe in sharing the discovered vulnerabilities with providers of these apps.
This is where the opinion can differ from their intentions.
Zerodium Says It is Encouraging Cybersecurity Research
The team behind Zerodium has issued a statement claiming that their bug-bounties and reward programs were created to cultivate a pool of talented researchers.
Their experience in such matters will earn them a good standing within the cybersecurity field.
The website goes on to justify that Zerodium has actually been founded by people with experience in the field of research on vulnerabilities, adding that the service mainly operates on behalf of Zerodium clients.
These clients could even be governments in some cases.
But Zerodium confirms that it’s under no obligation to share the findings with the messaging app providers in question.
An Attractive List of Rewards
Zerodium’s reward list for discovering bugs within software programs looks quite lucrative.
As per the amounts now announced, the program offers:
- $300,000 for Windows 10 zero-days code execution exploits.
- Varied rewards for the dark web browser Tor, depending on whether it has been downloaded on the Windows platform or on the Linux platform, $80,000 and $100,000 respectively.
- $100,000 for remote code execution on a program like Microsoft Outlook.
Adding Messaging Apps to Its Targets for the First Time
The reason this latest move by Zerodium is being widely discussed online is that this is the first time they have added the new messaging apps under their bug-bounty rewards.
Also, a significant departure from the past is the addition of email apps for Android and iOS.
Since the use of mobile devices is dominating overall access to the internet worldwide, Zerodium has added zero-day vulnerabilities detection and remote code execution to even documents and other multimedia files on mobile devices, and successful researchers can earn more dollars for their exploits if they share their findings with Zerodium.
One of the interesting developments in this connection is the announcement regarding the bounty for exploiting vulnerabilities in the Flash Player application.
It is now known to everyone that Adobe has declared that the application will be killed by 2020.
However, Zerodium has still maintained a reward for finding vulnerabilities in the program.
A Double-Edged Sword
Overall given these new updates, the type of bug-bounty and code execution exploits being rewarded by Zerodium is a welcome step, as long as the end-purpose of such exploits is for a good cause.