Zero-day-acquisition firm Zerodium reported it will a total of $1 million for zero day exploits found for the Tor browser on Tails Linux and Windows.

The bounty, which runs until November 30, 2017, covers several different exploits for which Zerodium is specifically searching and the company has set several bars that must be met to receive payment:

  • The research being unknown, unpublished and unreported zero days.
  • The initial attack vector must be a web page targeting the latest versions of Tor Browser.
  • The exploit must be fully functional, reliable, and leading to remote code execution on the targeted OS either with privileges of the current user or with unrestricted root/SYSTEM privileges.
  • The whole exploitation process should be achieved silently, without triggering any message or popup, and without requiring any user interaction except visiting a web page.

The highest payment, $250,000, will be made to those who discover a zero day capable of executing remote code execution plus local privilege escalation against the Tor Browser on Tails 3.x (64bit) and on Windows 10 RS3/RS2 (64bit), with JavaScript blocked and the security settings on high. Zerodium is offering $200,000 for those showing the same exploits on Tor Browser on Tails 3.x (64bit) or on Windows 10 RS3/RS2 (64bit).