Your million dollar 0day just got burned and now worth nothing? No worries – we are still interested in your exploit. The value of 0days can range from a few thousands to even a million dollars for a full remote exploit chain and many companies and governments are willing to buy them. The problem with this approach is your exploits are used for attacks against unknown targets (security researchers, press reporters and activists are all well known targets). As soon as the vulnerability is discovered and patched, sophisticated attackers will stop exploiting this bug and it is rendered useless. Professional hackers-for-hire try not to rely on N days to avoid getting caught.
In many cases, exploit buyers will not pay the full exploit price in case the vulnerability gets fixed by the vendor.
How much is an 0day worth in the latest Android or iOS? Possibly even a million dollars for a remote, generic, exploit. How much is the same 0day worth one month after the bug was patched? Sometimes as low as zero dollars. In our efforts to promote patching in mobile devices, we seek to change this process and help companies and researchers alike. We now offer a purchasing program for N-Days exploits.
It’s simple. We’ll buy remote or local exploits targeting any version other than the latest version of iOS and Android.
The exploit will be released first to Zimperium Handset Alliance (ZHA) partners. ZHA includes 30+ of the most well-known carriers and handset vendors. Amongst our ZHA partners you can find: Samsung, Softbank, Telstra and Blackberry. The complete list is available only to the security contacts within the carriers and vendors.
We will provide ZHA partners between one to three months advanced notice, before releasing the exploit publicly (unlike most exploit acquisition programs). We will not release these exploits publicly if requested by the author. We would like to encourage security researchers to provide proofs for exploitation of known vulnerabilities and at the same time, getting paid for previous work. Multiple ZHA partners explained to us that without proof of exploitability, it’s hard to convince the security teams to allocate resources needed for a complete patch cycle, even for known issues. We hope this program will encourage more researchers to look into monthly security updates, and promote better patching.
What will Zimperium do with the exploits?
Our plan is to use the exploits to enhance our z9 engine. So far, all of the publicly available kernel exploits released over the last few years were detected by our z9 engine, without requiring an update. As a mobile security vendor, it is obvious that we should support the latest devices – but on large deployments, and tens of millions of users – we must also provide backward compatibility and identify attacks on devices that even the device vendors are no longer supporting anymore (e.g: Android 4.1). In such scenarios, the users do not even have the option to update their phone. For us, supporting old devices is a key decision to help where the update policy have failed the consumers.
Why are you buying N-days?
Security research and exploitation is in our heart and what led Zimperium to this point. We appreciate the art of exploitation, and appreciate cool tricks in order to write an exploit development, bypass ASLR/KASLR, achieve persistency, etc. We humbly believe that we can learn from any exploit and as a result offer better security for our customers and partners.
Are you planning to buy 0days, too?
Will you release the exploit?
Yes, unless explicitly asked by the author. Our goal is to help the community, penetration testers, mobility and IT Admins to better evaluate their security and protect their devices.
Will you provide credit for the exploit developer?
Yes, unless asked to remain anonymous.
What are the payment methods?
We can do an electronic transfer, PayPal or even bitcoin if you wish to remain anonymous.
How much is going to be allocated for the Zimperium N-Days EAP?
We will allocate 1.5 million US dollars for this program.
How will you decide which exploit gets purchased and for how much?
An exploit committee built from selected members of zLabs will decide how much to offer for each N-Day exploit. Remote exploits are valuable even more than local ones, but it all depends on the exact bug (and the beauty of the exploit).
What type of bugs are we looking for?
- Remote exploits
- Local exploits
- Information disclosure vulnerabilities
- Other vulnerabilities can apply but needed to be described in the email
How does it work?
Send us a note to email@example.com (PGP key below).
- Describe the exploit
- When was it patched? (which CVE)
- How does the exploit chain work?
- Do you want to release the code publicly after we check it in our labs? if so, would you like to receive credit for it? If (4) is not provided, the default is yes.
We will then provide you with a quote containing our offer for your exploit. We will only submit the payment once we were able to trigger the vulnerability on an older device/OS.
firstname.lastname@example.org – public key
—–BEGIN PGP PUBLIC KEY BLOCK—–
—–END PGP PUBLIC KEY BLOCK—–