Uh oh. An infamous company that pays thousands of dollars for iOS and Android hacking techniques is now out to acquire zero-day exploits for three popular VPN services.
Zerodium today sent out a tweet calling for “zero-days” or publicly unknown attacks that work against ExpressVPN, NordVPN, or Surfshark. The attacks must be capable of leaking information from the VPNs, such as a computer’s IP address. Zerodium will also pay for exploits that can trigger a VPN to remotely execute computer code.
Zerodium didn’t say how much it’s willing to pay for the hacking techniques. But its bounties can range from $100,000 up to $2.5 million for the most powerful zero-day exploits against Android and iOS. For now, Zerodium is merely calling on hackers and security researchers to submit “pre-offers” for the zero-day exploits via its website.
Zerodium’s tweet is unsettling, given that ExpressVPN, NordVPN, and Surfshark are highly rated and popular VPN services. But it’s also true that hackers and fraudsters rely on VPN services too.
The technology works by rerouting your internet activity to the VPN provider’s servers and encrypting the connection, which can prevent an internet service provider from learning what you’ve been browsing. However, the zero-day exploits Zerodium is asking for could unravel the encryption and even hijack your PC or smartphone.
The bounty from Zerodium also suggests the company’s clients are looking to spy on some users of the three VPN apps. Those customers include government institutions in the US and Europe “in need of advanced zero-day exploits and cybersecurity capabilities,” according to Zerodium’s website.
“At Zerodium we take ethics very seriously and we choose our customers very carefully through a very strict due diligence and vetting process,” the site adds. “Access to acquired zero-day research is highly restricted and is limited to a very small number of government clients.”
Zerodium—along with ExpressVPN, NordVPN, and Surfshark—didn’t immediately respond to a request for comment. However, both ExpressVPN and NordVPN offer bug bounties, which means they’ll pay you for uncovering vulnerabilities in their software. Still, the rewards are far lower than what Zerodium can potentially offer.