A cybersecurity company has offered bounties of up to 1 million US dollars for Tor Browser 0-day vulnerabilities. Zerodium’s Tor 0-day bounty program is open until November 30th at 6pm Eastern, or until Zerodium terminates the program after having issued 1 million dollars for Tor 0-days. The company has stated that it plans to sell these zero day exploits to government agencies, such as law enforcement agencies. In the United States, zero day exploits have been hoarded and used by intelligence agencies such as the NSA and the CIA. Earlier this year the government dropped charges against child pornography suspects when the FBI decided to not disclose a zero day exploit it was using against the Tor network.
“While Tor network and Tor Browser are fantastic projects that allow legitimate users to improve their privacy and security on the internet, the Tor network and browser are, in many cases, used by ugly people to conduct activities such as drug trafficking or child abuse. We have launched this special bounty for Tor Browser zero-days to help our government customers fight crime and make the world a better and safer place for all,” Zerodium writes in their FAQ for the Tor 0-Day Bounty program. Zero day vulnerabilities that would require “control or manipulation of Tor nodes” as well as “exploits/attacks that would cause disruption of legitimate use of the Tor network” will not be accepted by Zerodium.
The bounties will be paid through bank transfers or through Bitcoin. The company is specifically looking for exploits that work on Tor running on Tails 3.x or Windows 10. Earlier this year Zerodium introduced a half a million US dollar bounty for 0-day exploits for encrypted messaging apps Signal, WhatsApp, Facebook Messenger, that allow for remote code execution and local privilege escalation. In July of this year the Tor Project itself launched their own bug bounty program. Late last year a zero day exploit for the Tor Browser was being used to de-anonymize users. That exploit was said to be nearly identical to a zero day exploit deployed by the FBI against Tor users in 2013.