Renowned vulnerability broker Zerodium announced that it is purchasing zero-day vulnerabilities in Windows clients for three major VPN products: ExpressVPN, NordVPN, and Surfshark.
Let I remind you that Zerodium, founded in 2015, has long been buying exploits for various zero-day vulnerabilities to then resell them to governments and law enforcement agencies in different countries. The company has its bug bounty program, under which researchers can sell exploits for up to $ 2.5 million (depending on the type and nature of the vulnerability).In addition, from time to time the company conducts campaigns “to identify errors”, during which it buys exploits for a specific software at special prices. Previously, similar promotions were held for Pidgin, WordPress, hypervisors, and so on.
A new campaign of this kind is targeting Windows clients of three major VPN products: ExpressVPN, NordVPN, and Surfshark, which are used in thousands of proxy servers around the world.
Zerodium says that it is interested in exploits that can lead to the disclosure of personal information of the VPN user, can reveal the actual IP address of the user, as well as exploits that lead to remote code execution on the victim’s computer.
Nothing is known about the company’s remuneration is willing to pay researchers. ExpressVPN and NordVPN have their bug bounty programs. For example, ExpressVPN offers up to $ 2,500 for vulnerabilities (with bonuses up to $ 10,000), while NordVPN is willing to pay $ 5,000 for critical bugs. Zerodium will probably offer a lot more.
We also reported that Zerodium will not buy exploits for iOS, as there is too many of them.
