Exploit Vendor Zerodium Puts $100,000 Bounty On Flash's New Security Feature

An anonymous reader writes: Zerodium, the company that buys zero-day bugs from security researchers and then sells them forward to government intelligence agencies, has put out a new bounty, this one on Adobe's Flash Player. The exploit vendor is offering $100,000 to the first researcher that finds a similar zero-day bug, capable of avoiding Flash's newly-released isolated heap memory protection feature. Previously, Zerodium offered $1 million to a security researcher for a zero-day bug in Apple's iOS 9 operating system.

The most value from such an exploit...

[jtara]

The most value from such an exploit...

... would be being able to accumulate a list of the users stupid enough to still have Flash installed! (Or allowing it to be run indiscriminately))

(If you do have it, please use a flash blocker, so that you then only click on the button to run the flash on trusted sites.)

Arms trafficking

[Etherwalk]

For all the ridiculous arms export regulations around encryption historically, this actually seems much more like serious arms sales. Explicitly selling vulnerabilities, other than in a bug bounty program, is organized crime.

Re:Arms trafficking

[adolf]

Meh.

It's a lot like offering to pay someone who first figures out how to pick a new type of mechanical lock, and brokering that information to an interested third party.

Is that -- should that -- be a crime?

Re:Just imagine they had to pay $100k for _every_

[Penguinisto]

Pretty sure they pocket at least 5-10x that $100k for every sale they make to a governmental organization...