A well-known exploit broker Zerodium has announced it would pay up to $100,000 for exploits abusing zero-day vulnerabilities in Pidgin (formerly named Gaim), a chat client popular among cybercriminals.
Pidgin is a free and open-source multi-platform instant messaging client, based on a library named libpurple with support for multiple instant messaging protocols, allowing the user to simultaneously log in to various services from a single application. Pidgin is widely used for its Off-the-Record Messaging (OTR) plugin, which offers end-to-end encryption.
“We are looking for remote code execution exploits affecting the latest version of Pidgin on Windows and/or Linux. The exploit should work with default installations and should not require any user interaction other than reading a message,” Zerodium wrote on its website.
The proposal, which the company calls “temporary bounty”, will be valid for the next three months, until August 31, 2021. In addition to Pidgin zero-days the company is interested in acquiring zero-days in the WordPress CMS and the ISPConfig web hosting panel.