Renowned vulnerability broker Zerodium announced that it is purchasing zero-day vulnerabilities in Windows clients for three major VPN products: ExpressVPN, NordVPN, and Surfshark.Let me remind you that Zerodium, founded in 2015, has long been buying exploits for various zero-day vulnerabilities in order to then resell them to governments and law enforcement agencies in different countries. To do this, the company has its own bug bounty program, under which researchers can sell exploits for up to $ 2.5 million (depending on the type and nature of the vulnerability).
In addition, from time to time the company conducts campaigns “to identify errors”, during which it buys exploits for a specific software at special prices. Previously, similar promotions were held for Pidgin, WordPress, hypervisors, and so on.
A new campaign of this kind is targeting Windows clients of three major VPN products: ExpressVPN, NordVPN and Surfshark, which are used in thousands of proxy servers around the world.
Zerodium says that it is interested in exploits that can lead to the disclosure of personal information of the VPN user, can reveal the real IP address of the user, as well as exploits that lead to remote code execution on the victim’s computer.
Nothing is known about the remuneration that the company is willing to pay to researchers. ExpressVPN and NordVPN have their own bug bounty programs. For example, ExpressVPN offers up to $ 2,500 for vulnerabilities (with bonuses up to $ 10,000), while NordVPN is willing to pay $ 5,000 for critical bugs. Zerodium will probably offer a lot more.
We also reported that Zerodium will not buy exploits for iOS, as there is too many of them.
User Review( votes)