Meanwhile, Zerodium’s quest to buy VPN exploits is problematic, researchers said.
The launch of a standing offer to pay for Windows virtual private network (VPN) software zero-day exploits came to light this week, even as the U.S. mulls new regulations on the export of tools that could be used in cyberattacks against the U.S. or its interests.
The developments signal that the U.S. cybersecurity community is going on the offensive against nation-state actors, researchers noted — but they may not have much effect.
Zerodium, which operates high-end, high-dollar third-party bug-bounty programs, often on behalf of western governments announced it was on the lookout for exploits impacting Windows ExpressVPN, NordVPN and Surfshark. Specifically, the company wants “information disclosure, IP address leak or remote code execution,” the company’s tweet said. “Local privilege escalation is out of scope.”
We’re looking for #0day exploits affecting VPN software for Windows:
Exploit types: information disclosure, IP address leak, or remote code execution. Local privilege escalation is out of scope.
Contact us: https://t.co/R6E2CVU9K3
— Zerodium (@Zerodium) October 19, 2021
Attackers hide behind VPNs to keep their location and IP addresses hidden. Between them, ExpressVPN, NordVPN and Surfshark serve