Zero-day broker firm Zerodium is offering up to $500,000 for VMware ESXi (vSphere) and Microsoft Hyper-V vulnerabilities.

Exploit acquisition firm Zerodium is offering up to $500,000 for VMware ESXi and Microsoft Hyper-V vulnerabilities.

The company is looking for exploits that allow guest-to-host escapes in default configurations to gain full access to the host.

We're paying up to $500,000 for #0day exploits targeting VMware ESXi (vSphere) or Microsoft Hyper-V, and allowing Guest-to-Host escapes.

The exploits must work with default configs, be reliable, and lead to full access to the host. Contact us: https://t.co/8NeubPvSdj — Zerodium (@Zerodium) March 5, 2019

The overall price for ESXi virtual machine escapes has rapidly increased over the years, in August 2017, Zerodium has been offering up to $80,000 for VMware ESXi guest-to-host escapes, while the previous payout for this $200,000.

“We are increasing the payouts for VMWare ESXi exploits to attract and encourage more researchers into auditing the security of this hypervisor as we firmly believe that there are many critical vulnerabilities affecting it and our government customers are in need of such exploits,” Chaouki Bekrar, founder and CEO of Zerodium, told SecurityWeek.

The offer for Microsoft Hyper-V exploit is a novelty in the Zerodium’s offer, this is the first time that the zero-day broker include s a payout for this kind of exploits.

“Hyper-V was not part of our bounty program as there was low to no interest in this product from our customers,” added Bekrar. “However, we’ve recently observed a significant increase in demand for Hyper-V exploits and we have decided to add it to our program.”

According to Bekrar, these payouts for Hyper-V and ESXi zero-day exploits are valid for a couple of months and then the company will decide for changes depending on the number of submissions received in this period

In January, Zerodium announced it is offering to pay up to $2 million for remote iOS jailbreaks that don’t need any user interaction, Previous offers of the company for this kind of exploits was $1.5 million.

The company also doubled the payouts for remote code execution flaws in WhatsApp, iMessage or SMS/MMS applications, payouts passed from $500,000 up to $1 million.

Pierluigi Paganini

(SecurityAffairs – bug bounty, hacking)

Share this...

Linkedin Reddit Pinterest

Share On