A new bug bounty program launched by Zerodium, the private firm known to market exploits, is offering hackers a payout of up to $1m (£746,568) for finding zero-day vulnerabilities that affect the Tor Browser. The bug bounty program comes with a deadline – 30 November 2017 – before which unknown Tor flaws on Tails Linux and Windows must be submitted.
However, Zerodium says that if the firm has already paid out the $1m bounty and has achieved what it wants before the deadline, it may terminate the program prior to the expiration date.
"The research must rely on exclusive, unknown, unpublished, and unreported zero-days, and must bypass all exploit mitigations applicable to each target category. The exploit must be fully functional, reliable, and leading to remote code execution on the targeted OS either with privileges of the current user or with unrestricted root/SYSTEM privileges," Zerodium said.
The firm also said that the entire attack using the exploit should function "silently". In other words, the attack should not alert the target by triggering any messages or pop-up windows. The attack also shouldn't require any "user interaction," apart from visiting a web page. This means that engaging the user in a phishing attack or other means are out. However, Zerodium says that it may "at its sole discretion, make a distinct offer to acquire such exploits."
The Tor Browser is known to be used by the general public, journalists, activists and others. Earlier in the year the Tor Project launched its first bug bounty program.