Well-known exploit and vulnerability broker Zerodium announced that it is ready to pay up to $400,000 for zero-day vulnerabilities and exploits that will allow remote code execution in the Microsoft Outlook email client.
Previously, the maximum payout was $250,000. For similar bugs in Mozilla Thunderbird, the company is willing to pay up to $200,000.
Let me remind you that the Zerodium company, founded in 2015, has been buying up exploits for various zero-day vulnerabilities for a long time, in order to then resell them to governments and law enforcement agencies around the world. To do this, the company has its own bug bounty program, in which researchers can sell exploits for up to $2.5 million (depending on the type and nature of the bug).
In addition, from time to time the company holds “bug-fixing” campaigns, during which it buys exploits for a particular software at special prices. Previously, similar promotions were held for Pidgin, WordPress, hypervisors, popular VPN products, and so on.
Rewards for bugs in Mozilla Thunderbird and Microsoft Outlook have also been temporarily increased, the company said on Twitter.
Zerodium does not specify which platform the exploits should target, but both email clients have versions for all three major operating systems—Windows, macOS, and Linux.
Many information security experts noted that a successful hack into either of the two email clients would give the attacker access not only to the user’s computer, but also to all mailboxes managed through the compromised client. Since account passwords can be extracted from the client, this also means that the party using the exploit will later be able to access cloud accounts.
You might also be interested to read that Researchers noticed that the darknet is discussing exploits as a service, and that a PoC exploit was published for fresh vulnerability in Ghostscript.