Zerodium, one of the most well-known security vulnerability brokers, announced that it is tripling payouts for remote code execution exploits on default WordPress installations. Payouts are typically $100K but have been temporarily increased to $300K.
The company focuses on acquiring original and previously unreported zero-day research. It pays researchers for high-risk vulnerabilities and fully functional exploits, with the highest rewards at $2.5M for ‘full chain, zero-click, with persistence’ Android exploits. This price tag was increased from $200K in September 2019, suggesting Android exploits have become more difficult to find or that demand for them has increased significantly.
Exploit resellers operate within a sort of grey area of security research. As a standard practice, security researchers are encouraged to report vulnerabilities to the original developer of the software, not an intermediary that may pass it along to a party that may not use the information for good. The appeal of these companies is that they pay more than most organizations, hence the tagline: “We pay BIG bounties, not bug bounties.”
WordPress has an account with Hackerone to pay security researchers for vulnerabilities but payouts are much smaller in comparison to what exploit brokers pay. This makes it a tough choice for security researchers who do this for a living. Professional zero-day hunters are looking for the highest payouts for the vulnerabilities they find, which can sometimes take months or longer.
Zerodium does not reveal who its clients are or what their purpose is for buying the the vulnerabilities. The best case scenario would be a government entity wanting to secure its own systems. Even then one cannot guarantee that they use the exploit ethically or that they don’t inadvertently leak the exploits where they could be used maliciously by others.
Zerodium did not elaborate on why it has increased payouts for WordPress exploits to $300K. WPScan speculates that the company may suddenly have a greater demand for WordPress RCE exploits, combined with WordPress becoming more secure:
This could indicate that WordPress is becoming more secure and that it is getting harder to find the critical security issues that buyers want. On the other hand, we must also assume that these types of exploits already exist and are already being actively sold on Zerodium and other similar platforms.
We could also conclude that if a government is going to pay more than $300,000 on a WordPress RCE exploit, that they intend to use it. World governments may even barter over the exploits so that the seller, in this case, Zerodium, gets the best price.
WPScan also emphasized that with WordPress having such a large presence on the web, an exploit against core with those particular characteristics “would be devastating to the web as a whole if it landed in the wrong hands.”
“Zerodium increasing their prices may indicate that it is becoming harder to find these critical issues in WordPress Core,” WPScan founder and CEO Ryan Dewhurst said. “That, at least, should be good news for WordPress and the web as a whole.”