Zerodium offers up to $400,000 for exploits for Microsoft Outlook

exploits for Microsoft Outlook

Well-known exploit and vulnerability broker Zerodium announced that it is ready to pay up to $400,000 for zero-day vulnerabilities and exploits that will allow remote code execution in the Microsoft Outlook email client.

Previously, the maximum payout was $250,000. For similar bugs in Mozilla Thunderbird, the company is willing to pay up to $200,000.

Let me remind you that the Zerodium company, founded in 2015, has been buying up exploits for various zero-day vulnerabilities for a long time, in order to then resell them to governments and law enforcement agencies around the world. To do this, the company has its own bug bounty program, in which researchers can sell exploits for up to $2.5 million (depending on the type and nature of the bug).

In addition, from time to time the company holds “bug-fixing” campaigns, during which it buys exploits for a particular software at special prices. Previously, similar promotions were held for Pidgin, WordPress, hypervisors, popular VPN products, and so on.

Rewards for bugs in Mozilla Thunderbird and Microsoft Outlook have also been temporarily increased, the company said on Twitter.

We’re currently paying up to $200,000 per exploit for Mozilla Thunderbird RCEs. We’re also (temporarily) increasing our bounty for MS Outlook RCEs to $400,000 (from $250,000).sZerodium representatives wrote.

Zerodium does not specify which platform the exploits should target, but both email clients have versions for all three major operating systems—Windows, macOS, and Linux.

Many information security experts noted that a successful hack into either of the two email clients would give the attacker access not only to the user’s computer, but also to all mailboxes managed through the compromised client. Since account passwords can be extracted from the client, this also means that the party using the exploit will later be able to access cloud accounts.

You might also be interested to read that Researchers noticed that the darknet is discussing exploits as a service, and that a PoC exploit was published for fresh vulnerability in Ghostscript.

By Vladimir Krasnogolovy

Vladimir is a technical specialist who loves giving qualified advices and tips on GridinSoft's products. He's available 24/7 to assist you in any question regarding internet security.

Leave a comment

Your email address will not be published. Required fields are marked *