White Hat Institute

Zero-day flaws for Microsoft Outlook RCE are now on the market for $400,000

Microsoft Outlook

Zerodium, an exploit broker, has increased the pay for zero-day flaws that enables remote code execution (RCE) in the Microsoft Outlook email client to $400,000. The new compensation is temporary, according to the corporation, but the deadline for submissions has yet to be announced.

The standard bounty for an RCE bug in Microsoft Outlook for Windows is $250,000, with “a fully working and trustworthy exploit” required. For $400,000, Zerodium is looking for an attack that allows remote code execution without user involvement, or “zero-click,” when Microsoft’s email client receives or downloads messages.

“We are temporarily increasing our payout for Microsoft Outlook RCEs from $250,000 to $400,000. We are looking for zero-click exploits leading to remote code execution when receiving/downloading emails in Outlook, without requiring any user interaction such as reading the malicious email message or opening an attachment.” — Zerodium

The organization isn’t putting out a prize for exploits that necessitate the opening or reading of an email, however the contributor will receive a smaller, unspecified reward. Zerodium also reminds users that it is still paying up to $200,000 for exploits that lead to remote code execution in Mozilla Thunderbird, which it has been doing since 2019.

The exploit rewards for Mozilla Thunderbird are subject to the same terms as those for Microsoft Outlook. An RCE in an email client would give attackers access to all accounts on the system. While Microsoft did not clarify a deadline for reporting zero-click Microsoft Outlook exploits, it is possible that the deadline would be extended.

Zerodium stated on March 31, 2021 that it will temporarily triple the payout for WordPress RCE vulnerabilities, and the incentive is still valid today. The average payment for an exploit in the most widely used open-source content management system (CMS) is $100,000.

On the site with temporarily increased bounties, only WordPress, Mozilla Thunderbird, and Microsoft Outlook are labeled as active. RCE and sandbox escape in Google Chrome (both up to $400,000) and RCE in VMware vCenter server (up to $150,000) have recently expired temporary offers.