Exploit vendor offers large bounties for messaging app 0days

Controversial exploit vendor Zerodium is willing to pay up to half a million US dollars (A$632,128) for working remote code execution and local privilege escalation security flaws in popular secure messaging apps.

The company has added Telegram, Facebook Messenger, WhatsApp, Viber, WeChat and Signal to its bounty list for zero-day vulnerabilities.

It will also pay US$500,000 for working exploits against Apple's iMessage as well as telcos' text and multimedia messaging services.

Apple iOS 11 remote jailbreaks or bypassing of the operating system's restrictions against running code with elevated privileges pay even more.

Zerodium has upped its offer to US$1.5 million for such exploits, but they have to be remote and with no user interaction such as clicking on links or opening files, else the bounty drops to US$1 million (A$1.26 milllion).

The exploit vendor also targets desktop operating systems, web browsers, and servers, as well as mobile phones from Apple, Android makers, and Blackberry.

Zerodium says it sells the exploits to governments which use them to track and capture criminals. It has denied the exploits are sold to repressive regimes. It also will not share the flaws with vendors so patches can be developed.