One of the biggest names in the zero-day exploit market announced it is paying up to $100,000 for vulnerabilities in Pidgin, a messaging app frequently used by darknet market vendors and various cybercriminals. Zerodium, a company famous for their disclosure of exploits to three-letter government agencies, made the announcement on Twitter, directing users to their updated bounty page.
At the top of the page is a bounty entitled Pidgin RCE, which states that Zerodium is looking for “remote code execution exploits affecting the latest version of Pidgin on Windows and/or Linux.” The conditions clarify that the exploit should “work with default installations” and “not require any user interaction other than reading a message.”
The new bounty listing created something of a stir on social media where Twitter users took turns guessing who Zerodium’s law enforcement clientele might target with access to such an exploit. Guesses ranged from darknet market vendors to “cybercrime gangs” to other governments.
According to the description of the company’s exploit acquisition program:
“Zerodium pays BIG bounties to security researchers to acquire their original and previously unreported zero-day research. While the majority of existing bug bounty programs accept almost any type of vulnerabilities and PoCs but pay very little, at Zerodium we focus on high-risk vulnerabilities with fully functional exploits and we pay the highest rewards in the market (up to $2,500,000 per submission).”
The highest bounties are reserved for exploits which could be used to allow full control of Android devices.
Pidgin is an XMPP/Jabber client that was initially launched in 1998 as a competitor to AIM (AOL Instant Messenger). Its “Off-the-Record Messaging” plugin provides end-to-end encryption for conversations, which makes it an especially valuable utility for those looking to maintain anonymity while communicating on the internet.
A zero-day exploit in Pidgin could theoretically be used to de-anonymize those looking to remain anonymous, which is why it is of potential value to the government, and thus Zerodium.
In Sept. 2017, Zerodium caught the attention of computer security researchers and the darknet market community after announcing they would pay up to $1 million for similar, zero-day exploits in the Tor browser.