WhatsApp change number feature
Zerodium is raising the stakes for researchers who can uncover zero day exploits in WhatsApp, Signal and TelegramReuters/Phil Noble

Leading exploit broker Zerodium is offering security researchers and white hat hackers up to $500,000 (£390,747) for fully functional exploits targeting popular encrypted mobile messaging platforms including Signal, WhatsApp and Telegram.

The Washington DC-based firm announced on Wednesday (23 August) a new price list for tools that permit remote code execution and local privilege escalation on several messaging apps such as WhatsApp, Signal, Facebook Messenger, iMessage, Telegram, Viber and WeChat.

Zerodium is also offering $150,000 for baseband and media file or document RCE and LPE attacks as well as $100,000 for sandbox escapes, code signing bypass, LPE to Kernel, WiFi RCE and LPE, and SS7 attacks. Half a million dollars will also be awarded to anyone who can find zero day exploits and LPE bugs in default mobile email applications as well.

According the company's website, Zerodium "pays premium bounties and rewards to security researchers to acquire their original and previously unreported zero-day research affecting major operating systems, software and devices."

"While the majority of existing bug bounty programs accept almost any kind of vulnerabilities and PoCs but pay very low rewards, at Zerodium we focus on high-risk vulnerabilities with fully functional exploits and we pay the highest rewards on the market."

The payouts awarded to researchers depend on "on the popularity and security strength of the affected software or system, as well as the quality of the submitted exploit," Zerodium notes.

In September 2016, the company raised the stakes for a remote iOS 10 jailbreak and bumped up the bounty from $1m (£782,000) to $1.5m (£1.2m). Now, the firm has revised its price list for researchers who find any zero-day vulnerabilities in Apple's software.

To win the top $1.5m reward, researchers will have to find an exploit that is remote, without any user interaction and still persists even after reboot. However, researchers who do uncover a remote jailbreak with user interaction could still stand to earn $1m.

Zerodium founder Chaouki Bekrar said via Twitter that the new stipulation for the top payout is "a bit harder but feasible."

After testing, analyzing and verifying the vulnerability research, Zerodium says it then reports the information to clients as part of its Zero-Day research feed, along with security recommendations and measures.

Its customers include "major corporations in defense, technology, and finance, in need of advanced zero-day protection, as well as government organizations in need of specific and tailored cybersecurity capabilities."

"Overall prices are trending up—and quite significantly in many cases, and there's an increased focus on mobile," Adam Caudill, a senior application security consultant at AppSec Consulting, told Ars Technica. "The new $500k targets for messaging and default e-mail apps show what a priority attacking individuals via their devices has become (which makes sense, given the recent increase in state-sponsored malware targeting mobile devices via SMS and the like)."