Level 75
Exploit broker Zerodium has announced a month-long bounty program for code that can bypass the new heap isolation mitigation in Flash Player. It said that it will pay up to $100,000 per working zero-day.

Adobe has been working to strengthen Flash Player, a perennially popular target for vulnerability-hunters and hackers alike. Last month, it announced that it had rewritten its memory manager to protect against use-after-free vulnerability exploits.

Zerodium took that as its cue to up the ante, announcing via Twitter: “Adobe added isolated heap to Flash. This month we pay $100K (with sandbox) and $65K (without sandbox) per #exploit bypassing this mitigation.”

Zerodium launched in July 2015 as a new entrant to the ethically grey-scaled world of cyber-arms/defense-dealing. As its name suggests, it specializes in acquiring zero-day exploits. And then selling them off, typically to government intelligence agencies.

The start-up is backed by Vupen, the French vulnerability dealer that has often drawn controversy for brokering exploits to the highest bidder. Though it says it won’t deal with “oppressive governments,” Vupen has been criticized for eschewing the concept of community-minded white-hat research in favor of fueling a kind of cyber-arms race. Also, critics note that delivering advanced capabilities into the hands of governments and others can result in their ending up in the wrong hands—i.e., the Stuxnet effect.

For its part, Zerodium bills itself as an effort “to build a global community of talented and independent security researchers working together to provide the most up-to-date source of cybersecurity research and capabilities.”

Full article. Exploit Broker Zerodium Offers $100k Per Flash Zero-Day