A startup that sells exploits to governments says it wants hacks for the browser used by activists, protesters, journalists, and criminals.
A notorious startup is offering up to $1 million in rewards to security researchers who can find bugs and develop techniques to exploit the anonymous web surfing tool the Tor Browser.
"We need many exploits as we have many customers with many ongoing operations against illegal activities undertaken on Tor," Chaouki Bekrar, the CEO and founder of Zerodium, told Motherboard in an online chat. "We have a higher demand for Tor exploits from our government customers as they are facing higher illegal activities on Tor and they must take action."
In the announcement, Zerodium specifically pointed to "drug trafficking or child abuse" as examples of how "ugly people" use Tor. The bounty is open until November 30 unless payouts reach $1 million before then, the company said. Usually, bug bounty programs don't have an expiration date.
Zerodium has gained notoriety for offering high payouts and bounties for targets such as the iPhone. In 2015, shortly after its launch, Zerodium offered $1 million for anyone who could develop a technique to hack an iPhone remotely. When the challenged ended, the company claimed that a team of hackers was able to claim the bounty. Zerodium always declines to discuss the identities of its customers or the researches it deals with.
Undoubtedly, there's demand among intelligence and law enforcement agencies for such exploits. Last year, European cops hacked users of a child pornography website called The GiftBox Exchange using an unknown Firefox vulnerability—or zero-day. But some believe that Zerodium's headline-grabbing prices are just a marketing stunt.
"I don't think [the prices] are accurate reflections of Tor Browser as a secure system," a security researcher with knowledge of the exploit market, who asked to remain anonymous, told Motherboard. "Those prices are marketing."
Last month, when Zerodium announced new rates and bounties, offering the same amount of money ($100,000) for similar Tor Browser and Chrome exploits, Tor developer and cryptographer Isis Lovecruft told Motherboard that "maybe this is all a PR stunt to get people like us to pay attention to their silly 0day-hoarding startup :)."
"Hard research work = big bounty," he told me.
A spokesperson for the Tor Project, which develops and maintains the Tor Browser, said that "the amount of the bounty is a testament to the security we provide."
"We think it's in the best interest of all Tor users, including government agencies, for any vulnerabilities to be disclosed to us through our own bug bounty," Stephanie Whited said in an email, referring to Tor's own bug bounty, which offers up to $4,000 in rewards. "Over 1.5 million people rely on Tor everyday to protect their privacy online, and for some it's life or death. Participating in Zerodium's program would put our most at-risk users' lives at stake."
This story has been updated to include a comment from Chaouki Bekrar and the Tor Project.
Got a tip? You can contact this reporter securely on Signal at +1 917 257 1382, OTR chat at email@example.com, or email firstname.lastname@example.org
Get six of our favorite Motherboard stories every day by signing up for our newsletter.