Any individual researcher or research company can submit exploits and participate in the Zerodium program unless
they are citizens/residents of countries listed on US/UN sanctions lists. Please contact us
to discuss your specific situation.
Yes. You can receive a pre-offer for your research without disclosing it by submitting
minimal technical details without submitting the exploit itself and without disclosing full details of the bug(s). Zerodium will evaluate the minimal details and will eventually confirm its interest and send you a pre-offer.
Our submission process is very simple and straightforward. All research and exploits must be sent to Zerodium using PGP encrypted emails. Visit our submit
page for more information.
Submissions can be in any format as long as all the supplied files and/or messages are PGP encrypted. All submissions must include: a fully functional exploit with source code (if any), a technical analysis including a description of the root cause of the bug(s) and exploitation method(s), required configuration and limitations, and any other information necessary to evaluate your submission.
You can install and use PGP on Windows
, and Linux
Zerodium acquires vulnerability research and exploits affecting recent operating systems, software, and devices. Please check the Bounties
section for a list of potentially eligible products.
We acquire high-risk and critical bugs accompanied by a fully functional and reliable exploit. Please check the Bounties
section for a list of eligible exploits.
We will be glad to discuss, evaluate, and make offers not only for vulnerabilities and exploits but also for any innovative research, exploitation technique, or mitigation bypass. Please contact us
to discuss your findings.
Yes. We can acquire either individual exploits (e.g. a browser RCE without any sandbox escape, or a sandbox escape alone without any browser exploit) or full exploits chains.
No. We only acquire vulnerabilities proven to be exploitable and accompanied by a fully functional exploit working with the latest stable/beta/dev/nightly versions of the affected software/system/device. Feel free to contact us
if you think that your research may still be eligible.
The final offer sent by Zerodium to acquire your research, once your submission has been fully reviewed and validated, will depend on the quality of the bug(s) (affected products, criticality, attack vector, required configuration, user interaction, limitations, etc) but also on the quality of the exploit (reliability, bypassed exploit mitigations, covered versions/systems/platforms, process continuation, no hardcoded offsets or ROP, etc).
After reviewing and approving the research, Zerodium will send you by email the final acquisition offer and the agreement to be signed.
By signing the agreement, you accept the exclusive sale of your research to Zerodium and full transfer of all related intellectual property rights to us, meaning that the research becomes the exclusive property of Zerodium and you are not allowed to re-sell, share, publish, or report the research to any other person or entity.
Zerodium usually pays researchers through international bank transfers. We can also pay using cryptocurrencies including Bitcoin, Monero and Zcash.
Zerodium pays all bounties and bonuses in multiple installments to ensure that the research will meet a minimum lifespan requirement.
Zerodium takes the privacy of researchers very seriously and does not disclose, to any third party (including to customers), any personal information about researchers including names, aliases, email addresses, bank details, or any other personal or confidential information.
Zerodium even restricts internal access to your personal data on a need-to-know basis and uses the information for the sole purpose of processing payments.