Slashdot is powered by your submissions, so send in your scoop


Forgot your password?
The Almighty Buck Security

Exploit Vendor Zerodium Puts $100,000 Bounty On Flash's New Security Feature ( 57

An anonymous reader writes: Zerodium, the company that buys zero-day bugs from security researchers and then sells them forward to government intelligence agencies, has put out a new bounty, this one on Adobe's Flash Player. The exploit vendor is offering $100,000 to the first researcher that finds a similar zero-day bug, capable of avoiding Flash's newly-released isolated heap memory protection feature. Previously, Zerodium offered $1 million to a security researcher for a zero-day bug in Apple's iOS 9 operating system.
This discussion has been archived. No new comments can be posted.

Exploit Vendor Zerodium Puts $100,000 Bounty On Flash's New Security Feature

Comments Filter:
  • Time to make friends with someone who works at Adobe then. An easy $50,000 sounds nice.

  • i seem to get the hint that adobe flash vulnerabilities is used as a backdoor to gain access to people's computers???
  • by jtara ( 133429 ) on Tuesday January 05, 2016 @06:07PM (#51244249)

    The most value from such an exploit...

    ... would be being able to accumulate a list of the users stupid enough to still have Flash installed! (Or allowing it to be run indiscriminately))

    (If you do have it, please use a flash blocker, so that you then only click on the button to run the flash on trusted sites.)

    • by jtara ( 133429 )

      ...because then you would have a list of gullible people.

  • ... in Flash that compromises security... they would be bankrupt within a week!
    • Pretty sure they pocket at least 5-10x that $100k for every sale they make to a governmental organization...

  • With all the security holes in Flash these days, I dont get why browsers haven't made "click to play" for flash videos the default. No flash videos would run unless you activated them.

    • I think this is because video is just one of the many uses of Flash. It would break, for example, the menus of many sites - albeit far less than it used to be nearly a decade ago when I first installed FlashBlock, there still are some around.

  • Arms trafficking (Score:4, Informative)

    by Etherwalk ( 681268 ) on Tuesday January 05, 2016 @06:28PM (#51244393)

    For all the ridiculous arms export regulations around encryption historically, this actually seems much more like serious arms sales. Explicitly selling vulnerabilities, other than in a bug bounty program, is organized crime.

    • by jopsen ( 885607 )

      Explicitly selling vulnerabilities, other than in a bug bounty program, is organized crime.

      Adobe certainly has a standing... Considering that all the big corps feel they have standing when researchers publically share and discuss DRM.
      There is clearly no "fair use" or "public interest" argument to be made here, quite the opposite.

    • by adolf ( 21054 )


      It's a lot like offering to pay someone who first figures out how to pick a new type of mechanical lock, and brokering that information to an interested third party.

      Is that -- should that -- be a crime?

      • by robbak ( 775424 )
        Yes, unless the 'interested party' is the manufacturer, who will quickly recall the locks and replace them with secure ones.
      • Wrong comparison.

        Even perfectly constructed mechanical locks requiring a mechanical key can be picked. Or otherwise broking using force. It may be hard to pick, it may need a lot of force, but they can be broken. This as mechanical locks are always approached physically.

        A perfect digital lock can only be broken by brute forcing the cryptographic key: trying again and again, trillions of times if needed. The digital lock of course can easily rate limit this to prevent even that attack, leaving it truly unbre

        • by adolf ( 21054 )

          As we learn over and over again, there is no such thing as a perfect digital lock: These can be picked just as carefully and undetectably as any mechanical lock.

          There's no need to pick out Flash here, as even OpenBSD is not immune to imperfection.

          • Given enough time and effort, a digital lock could become perfect: no bugs left. Of course that's a lot of effort, yet it is what we should always aim for in software, and OpenBSD is doing a great job in that respect. It's as good as unbreakable.

  • by Anonymous Coward

    This is like their "we paid out (pinky in mouth) $1 million for an Apple iOS 9.1 bug".

    Except there's no evidence they did, but it was handy marketing for them. If they had, Apple could sue them and obtain the bug details (and $$$ in compensation) on a "tortuous interference in business" claim.

    So take it with a pinch of salt.

This process can check if this value is zero, and if it is, it does something child-like. -- Forbes Burkowski, CS 454, University of Washington