Hackers willing to find unpatched vulnerabilities in the Linux operating system and report them to exploit acquisition firm Zerodium can earn up to $45,000 for their findings, the company announced on Thursday.
The company has been long acquiring vulnerabilities in Linux as part of its normal payouts program, but it would normally pay only up to $30,000 for Local Privilege Escalation flaws in the operating system. Until March 31, 2018, however, such flaws can earn hackers up to 50% more, Zerodium said on Twitter.
Got a Linux LPE? Working with default installations of Ubuntu, Debian, CentOS/RHEL/Fedora? We are increasing our payouts to $45,000 per #0day exploit until March 31st, 2018. To submit, please check: https://t.co/8NeubPvSdj
— Zerodium (@Zerodium) February 8, 2018
Zerodium claims that hackers who submit valid zero-day vulnerabilities in products of interest would receive payment for their efforts within a week after the initial submission.
The exploit acquisition firm is targeting vulnerabilities in the most commonly used Linux distributions and interested hackers can head over to its website to learn specific information on what is considered an eligible submission.
The payments promised for Linux vulnerabilities, however, aren’t the highest the company offers.
On desktop platforms, remote code execution flaws in Windows can earn the reporting hacker up to $300,000. Those who discover unpatched vulnerabilities in mobile operating systems can make up to $1,500,000, if the bug affects Apple’s iOS platform.
In fact, Zerodium is already known to have paid a group of hackers $1 million for a zero-day in iOS.
In August 2017, Zerodium announced it was prepared to pay up to $500,000 for unpatched vulnerabilities in popular instant messaging and email applications. The offer remains active in its current program.
In September last year, the company announced it was willing to pay up to $1 million for zero-day flaws in the Tor Browser. The “bounty” program ended in December 2017, but Zerodium wouldn’t provide information on the results of the operation.
Once in the possession of vulnerabilities it considers of interest, the company sells them to its customers as part of the Zerodium Zero-Day Research Feed. The company also says it analyzes, aggregates, and documents the acquired security intelligence before offering it, along with protective measures and security recommendations, to its clients.