ZERODIUM conducting 'purchase of vulnerability' raises purchase price, vulnerability to remotely jailbreak iOS is more than 200 million yen

by Sharon McCutcheon

ZERODIUM buying various "vulnerabilities" from crackers raised the price of most of the vulnerabilities targeted for purchase. However, the purchase amount of ZERODIUM is staggering than the company's incentive program for the discovery of bugs and vulnerabilities, and researchers have raised questions on the reliability of ZERODIUM.

ZERODIUM - The Leading Exploit Acquisition Platform

ZERODIUM, which refers to "vulnerability acquisition platform", is acting to deliver unknown zero day vulnerability to security researchers. ZERODIUM says that ZERODIUM will narrow down the target of purchase to high-risk vulnerabilities, paying a large fee, whereas the company's bug discovery incentive program accepts almost any bug or vulnerability, It is.

The purchase price of ZERODIUM is set from 2000 dollars (about 220,000 yen) to 2 million dollars (about 217 million yen) per case.

ZERODIUM - How to Sell Your 0day Exploit to ZERODIUM

Specifically, the vulnerability to jailbreak iOS remotely is $ 2 million (about 217 million yen) if not clicking, 1.5 million dollars (about 163 million yen) for 1 click. A vulnerability of executing remote code with WhatsApp, iMessage, and other SMS / MMS is 1 million dollars (about 109 million yen). The vulnerability to execute remote code on Windows is also one million dollars (about 109 million yen).

ZERODIUM evaluates and verifies the submitted vulnerability within one week. Payment is made by wire transfer, encryption currency (virtual currency), etc.

Although it is attractive to purchase at a higher price than a company, on the other hand, Mr. Graham Cruely, an independent computer security analyst, points out the danger of ZERODIUM.

Earn $ 2,000,000 by remotely jailbreaking an iPhone

Mr. Kuruli said, "Why can you buy such a high price in the first place because I believe that you can raise profits by selling information gathered by ZERODIUM to others," he said.

It would be nice if the seller could be used by bug fixes at Apple, Google, Microsoft, etc. vendors, but in fact they are criminals, terrorists, government and intelligence agencies that aim for zero day attacks to target foreign countries Mr. Cruely It is. If the customer is actually such a "malicious attacker", it is unthinkable to provide information to vendors and security experts as the value of the vulnerability is lowered when the patch is applied .

Mr. Kururi said, "In the first place, when you write articles about ZERODIUM in this way, they will raise their reputation", indicating the emotions of mouth-to-mouth using the emoticon ":(" If a vulnerability like this was reported to ZERODIUM instead of Apple, it warned that all users are in danger.

in Security, Posted by logc_nt