Zerodium, a company that buys exploits, revealed last week that it would pay $300,000 for high-impact WordPress exploits for a limited time.
The company is on the lookout for vulnerabilities that can be used to execute code remotely. The exploit must function on default configurations running the latest version of WordPress, it must target WordPress itself rather than third-party plugins, and no authentication or user interaction is required.
Zerodium is willing to pay up to $300,000 for each exploit. For WordPress RCE exploits, the business normally pays $100,000, the same as for Webmin, Plesk, and cPanel/WHM exploits.
We’re temporarily increasing our payouts for WordPress RCEs to $300,000 per exploit (usually $100K).
The exploit must work with latest WordPress, default install, no third-party plugins, no auth, no user interaction!
If you have this gem, contact us: https://t.co/PBuS1nnpED
— Zerodium (@Zerodium) April 9, 2021
Government agencies, mostly from North America and Europe, are said to be Zerodium’s clients, who are looking for “advanced zero-day vulnerabilities and cybersecurity capabilities.”
“At ZERODIUM, we take ethics very seriously, and we carefully choose our customers,” the company says on its website. “This ensures that access to your research and exploits will be highly restricted, and limited to a very small number of institutional customers.”
Exploit brokers like Zerodium are also controversial due to the possibility that they might sell their services to authoritarian regimes that would use them to track and censor their opponents — some of them have been caught doing so. However, no records of Zerodium providing its services to such regimes have surfaced to date.
Zerodium currently pays out the most for remote code execution exploits for Windows ($1 million) and exploits that allow a remote attacker complete control of mobile devices ($2.5 million for Android and $2 million for iOS).
It’s not unusual for the company to briefly raise payouts for some exploits — most likely in response to high demand — but it’s also not uncommon for the company to avoid purchasing certain types of exploits entirely due to surplus.