Zerodium, a hacking company that sells exploits to governments around the world, is now offering $1 million for previously undiscovered vulnerabilities in the Tor web browser.
The top prize, a $250,000 bounty, requires a researcher to be able to demonstrate a remote code exploit against Tor while the browser is at its highest security settings on either Windows 10 or the security-focused operating systems TAILS.
The attack vector has to be a website targeting the Tor Browser.
The Tor browser anonymizes web traffic, encrypting it between computers known as nodes. The network’s architecture makes determining the origin of traffic extremely difficult. The section of the internet known as the “dark web” is only accessible via the Tor browser.
The six-figure prize comes weeks after Zerodium placed $500,000 bounties on secure messenger applications, like Signal, Telegram and WhatsApp. The highest single bounty offered by the company is $1.5 million for an iPhone zero-day vulnerability allowing remote jailbreaking with persistence at zero clicks.
Zero-day exploits are in many cases becoming increasingly rare and expensive, according to researchers.
“While Tor network and Tor Browser are fantastic projects that allow legitimate users to improve their privacy and security on the internet, the Tor network and browser are, in many cases, used by ugly people to conduct activities such as drug trafficking or child abuse,” Zerodium’s website reads. “We have launched this special bounty for Tor Browser zero-days to help our government customers fight crime and make the world a better and safer place for all.”
In a statement to Vice, Tor condemned the program and said Zerodium’s bounty requests put “our most at-risk users’ lives at stake.”
Zerodium founder Chauki Bekrar took to Twitter to disagree: “False. All known Tor Browsers exploits used by Govs (2013 & 2016) didnt threaten life of ANY legit user. Only hurt pedo & drug traffickers.”
“The price that Zerodium puts on a product is always an indication of the security of that product, the higher the price, the better is the security of that product,” Bekrar told CyberScoop last month. “The prices result from both a high demand and a small attack surface in these apps which makes the discovery and exploitation of critical bugs very challenging for security researchers.”
Zerodium’s Tor Browser bounty is open until November 30.