This cybersecurity startup is making waves in the industry, but not for how it’s fighting crime.
Instead, Zerodium publicly offers significant sums to hackers who are able to expose the types of zero-day vulnerabilities that even the largest tech giants may have no way of stopping – then turns around and sells the hacking methods to the highest bidders.
The company’s elite subscribers, which its CEO told CNN Money only includes major corporations and government organizations from western countries, are willing to shell out as much as $500,000 or more a year just to have access to the tactics for hacking Android phones and spying on their unsuspecting owners.
“This is a weapon,” Zuk Avraham, founder of cybersecurity company Zimperium, told CNN Money when asked about the unorthodox business model. “It takes one man to write an exploit these days — one man willing to sell his soul to the devil.”
Last year, Zerodium awarded an unidentified team of hackers $1 million for their ability to find a zero-day discovery related to the Apple mobile operating system. According to CNN Money, the company has also offered up to $100,00 for Android and Windows Phone hacks, as well as $80,000 for Adobe PDF reader or Flash Player.
While some security experts see the company’s business model as detrimental to public security, Zerodium CEO Chaouki Bekrar explained his intentions are to do just the opposite. Bekrar told CNN Money that his mission is to actually provide law enforcement with better tools.
“The recent story between the FBI and Apple shows the most interesting aspect of the zero-day business, which is the need for government agencies to get access to unpatched flaws to properly conduct investigations and save lives,” he said via email, noting that agencies forcing companies to provide back door access is a poorer alternative.
CNN Money pointed out the very different approach many companies, as well as the U.S. government, have employed to reach a similar result via bug bounty programs. The rewards for hackers or security researchers who participate in these types of initiatives usually range from predetermined payments based on the severity of the vulnerability discovered to participation in loyalty programs, and even frequent flyer miles.