Zerodium, an exploit acquisition firm, revealed on Tuesday that it is looking to buy zero-day attacks for major VPN software.
The company is specifically looking for exploits for the Windows versions of the ExpressVPN, NordVPN, and Surfshark programmes. Millions of people utilise these VPN services.
We’re looking for #0day exploits affecting VPN software for Windows:
Exploit types: information disclosure, IP address leak, or remote code execution. Local privilege escalation is out of scope.
Contact us: https://t.co/R6E2CVU9K3
— Zerodium (@Zerodium) October 19, 2021
Zerodium is on the lookout for remote code execution, IP address leaks, and other data leaks. It is not interested in acquiring local privilege escalation flaws.
The corporation hasn’t stated how much it is willing to pay for zero-day vulnerabilities. Both ExpressVPN and NordVPN have bug bounty schemes in place. ExpressVPN pays up to $2,500 per vulnerability, plus bonuses of up to $10,000, but NordVPN pays $5,000 or more for serious security problems. Zerodium is likely willing to pay a lot more for zero-day vulnerabilities.
Consumers mostly utilise ExpressVPN, NordVPN, and Surfshark, and there have been no reports of vulnerabilities in these applications being exploited in attacks.
On the other hand, there have been numerous allegations of threat actors targeting enterprise VPN solutions, including those from Fortinet, Pulse Secure, Citrix, VMware, and Zimbra. The National Security Agency (NSA) issued an advisory earlier this year, alerting organisations that Russian cyberspies had exploited weaknesses in these products.
For the time being, Zerodium is paying out more for Chrome, VMware vCenter Server, and WordPress exploits. For Chrome, $150,000 for vCenter Server, and $300,000 for WordPress exploits, the business is offering up to $1 million.