ZERO DIUM, which 'purchases vulnerabilities', raises the purchase price, and the vulnerability that remotely jailbreaks iOS is over 200 million yen.


Sharon McCutcheon

ZERO DIUM, which buys various 'vulnerabilities' from crackers, has raised the price of most of the vulnerabilities it buys. However, the purchase price of ZERO DIUM is exceptional compared to the company's incentive program for finding bugs and vulnerabilities, and some researchers have questioned the reliability of ZERO DIUM.

ZERODIUM --The Leading Exploit Acquisition Platform

ZERO DIUM, which calls it a 'vulnerability acquisition platform,' is working to deliver unknown zero-day vulnerabilities to security researchers. While a company's bug-finding bounty program accepts almost any bug or vulnerability, the amount isn't that high, while ZERO DIUM claims to focus on high-risk vulnerabilities and pay high rewards. I am.

The purchase price of ZERODIUM is set from 2000 dollars (about 220,000 yen) to 2 million dollars (about 217 million yen) per case.

ZERODIUM --How to Sell Your 0day Exploit to ZERODIUM

Specifically, the vulnerability that causes iOS to jailbreak remotely is $ 2 million (about 217 million yen) if it does not require a click, and $ 1.5 million (about 163 million yen) if it is one click. Vulnerability to execute remote code with WhatsApp, iMessage, and other SMS / MMS is 1 million dollars (about 109 million yen). The vulnerability to execute remote code on Windows is also 1 million dollars (about 109 million yen).

ZERODIUM evaluates and verifies the submitted vulnerabilities within one week. Payment will be made by wire transfer or cryptographic assets (virtual currency).

While it's tempting to buy at a higher price than companies, Graham Krooley, an independent computer security analyst, points out the dangers of ZERO DIUM.

Earn $ 2,000,000 by remotely jailbreaking an iPhone

'Why can you buy such a high price in the first place? Because you believe that you can make a profit by selling the information collected by ZERO DIUM to others,' Krooley said.

It would be nice if the vendors such as Apple, Google, and Microsoft could be used to fix bugs, but in reality, it is a criminal, a terrorist, a government or an intelligence agency that plans a zero-day attack to target foreign countries, Mr. Crewley said. I'm out. If the customer is actually such a 'malicious attacker', it is unlikely that the information will be provided to vendors or security experts, as patching would reduce the value of the vulnerability. ..

Mr. Krooley said, 'In the first place, when I write about ZERO DIUM in this way, they will increase their fame.' If such a vulnerability was reported to ZERO DIUM instead of Apple, it warned that all users would be at risk.

in Security, Posted by logc_nt