Exploit broker Zerodium announced its intention today to buy zero-day vulnerabilities in the Windows clients of three major VPN providers—ExpressVPN, NordVPN, and Surfshark.
Founded in 2015, Zerodium is a security company based in Washington, DC, that has built a reputation over the years for buying exploits for zero-day vulnerabilities in various applications and then reselling the exploits to government and law enforcement agencies.
The company runs a bug acquisition program on its site, where security researchers can sell their exploits for prices of up to $2.5 million — based on the type and nature of their vulnerability.
In addition, across the years, the company has also held so-called temporary “bug acquisition drives,” during which they offer to buy zero-day exploits in non-standard software.
Past acquisition drives have targeted routers, cloud services, mobile IM clients, and even something as niche as the Pidgin app — popular with cybercrime organizations.