Zerodium, an exploit acquisition platform, is offering $400,000 to anyone for a Remote Code Execution (RCE) zero-day vulnerability in Outlook. Although it did not disclose any deadline for submissions, it has been mentioned that it is a temporary offer.
The huge offer
Zerodium’s regular bounty for RCE vulnerability in Outlook is $250,000. However, in this specific case, the firm has increased its offer price to $400,000.
For $400,000, the platform is looking for zero-click, which is an exploit that achieves RCE without any user interaction such as a need to read the message or open an attachment.
Doing so, Zerodium is not ruling out a bounty for exploits that require an email to be opened or read. It’s just that the submitter of such an exploit will get a lower and undisclosed payout.
It is offering up to $200,000 for exploits leading to remote code execution in Mozilla Thunderbird. This offered amount is the same since the year 2019.
The same conditions apply for exploit payouts for Mozilla Thunderbird as in the case of Microsoft Outlook. An RCE in an email client may allow attackers access to all accounts.
On March 31, 2021, Zerodium temporarily tripled the bounty for valid WordPress RCE exploits.
A usual business model
Apparently, this is a usual business model for the platform to offer high prices for finding and submitting bugs in their products of interest.
Recently expired temporary offers included sandbox escape and RCE in Chrome up to $400,000 and RCE in VMware vCenter server up to $150,000.
Moreover, a regular payout for an exploit in an open-source CMS is around $100,000.
The bottom line
A zero-day vulnerability in Microsoft Outlook, which requires no user interaction, has unimaginable potential for threat actors. Such bugs may lead to the development of highly sophisticated weapons for cyberespionage or even weapons for causing mass destruction on the Internet. This calls for strict cyber defenses and implements proactive measures to combat such threats.