Frequently Asked Questions

About Bounties

Who can participate in the Zerodium program?

Any individual researcher or research company can submit exploits and participate in the Zerodium program unless they are citizens/residents of countries listed on US/UN sanctions lists. Please contact us to discuss your specific situation.

Can I receive a pre-offer from Zerodium before I submit my full research?

Yes. You can receive a pre-offer for your research without disclosing it by submitting minimal technical details without submitting the exploit itself and without disclosing full details of the bug(s). Zerodium will evaluate the minimal details and will eventually confirm its interest and send you a pre-offer.

How to submit my zero-days or innovative research to Zerodium?

Our submission process is very simple and straightforward. All research and exploits must be sent to Zerodium using PGP encrypted emails. Visit our submit page for more information.

Submissions can be in any format as long as all the supplied files and/or messages are PGP encrypted. All submissions must include: a fully functional exploit with source code (if any), a technical analysis including a description of the root cause of the bug(s) and exploitation method(s), required configuration and limitations, and any other information necessary to evaluate your submission.

You can install and use PGP on Windows, Mac, and Linux.

Which products and/or software are eligible?

Zerodium acquires vulnerability research and exploits affecting recent operating systems, software, and devices. Please check the Bounties section for a list of potentially eligible products.

Which vulnerability/exploit types are eligible?

We acquire high-risk and critical bugs accompanied by a fully functional and reliable exploit. Please check the Bounties section for a list of eligible exploits.

What about exploitation techniques or mitigation bypass?

We will be glad to discuss, evaluate, and make offers not only for vulnerabilities and exploits but also for any innovative research, exploitation technique, or mitigation bypass. Please contact us to discuss your findings.

Are partial exploits (e.g. browser RCE w/o sandbox escape, and vice versa) eligible?

Yes. We can acquire either individual exploits (e.g. a browser RCE without any sandbox escape, or a sandbox escape alone without any browser exploit) or full exploits chains.

Are theoretically-exploitable vulnerabilities (e.g. PoC/crash/trigger only) eligible?

No. We only acquire vulnerabilities proven to be exploitable and accompanied by a fully functional exploit working with the latest stable/beta/dev/nightly versions of the affected software/system/device. Feel free to contact us if you think that your research may still be eligible.

How to increase the potential bounty/reward for my research?

The final offer sent by Zerodium to acquire your research, once your submission has been fully reviewed and validated, will depend on the quality of the bug(s) (affected products, criticality, attack vector, required configuration, user interaction, limitations, etc) but also on the quality of the exploit (reliability, bypassed exploit mitigations, covered versions/systems/platforms, process continuation, no hardcoded offsets or ROP, etc).

What happens after accepting an acquisition offer from Zerodium?

After reviewing and approving the research, Zerodium will send you by email the final acquisition offer and the agreement to be signed.

By signing the agreement, you accept the exclusive sale of your research to Zerodium and full transfer of all related intellectual property rights to us, meaning that the research becomes the exclusive property of Zerodium and you are not allowed to re-sell, share, publish, or report the research to any other person or entity.

Which payment methods and/or bonuses are available?

Zerodium usually pays researchers through international bank transfers. We can also pay using cryptocurrencies including Bitcoin, Monero and Zcash.

Zerodium pays all bounties and bonuses in multiple installments to ensure that the research will meet a minimum lifespan requirement.

What about the privacy and confidentiality of researchers information?

Zerodium takes the privacy of researchers very seriously and does not disclose, to any third party (including to customers), any personal information about researchers including names, aliases, email addresses, bank details, or any other personal or confidential information.

Zerodium even restricts internal access to your personal data on a need-to-know basis and uses the information for the sole purpose of processing payments.

About Zerodium

What is Zerodium?

Zerodium is the world's leading exploit acquisition platform for premium zero-days and advanced cybersecurity research.

Founded in 2015 by cybersecurity veterans with unparalleled experience in zero-day research and exploitation, Zerodium is now a global community of independent security researchers working together to provide the most powerful cybersecurity capabilities to institutional customers.

Zerodium pays the highest bounties in the market to reward researchers and acquire their zero-day discoveries. We believe that this is the only way to support the zero-day research community and capture the most advanced and innovative research from all around the world.

What is the difference between ZERODIUM and other bug bounty programs?

The majority of existing vulnerability acquisition platforms focus on quantity rather than quality hence they usually acquire any kind of vulnerabilities or PoCs but pay researchers very low rewards. Zerodium pays much higher bounties as we only focus on and acquire high-risk vulnerabilities with fully functional/reliable exploits.

Furthermore, Zerodium acquisition process and payments are simple, straightforward, and fast (less than a week).

Finally, at Zerodium we take ethics very seriously and we choose our customers very carefully through a very strict due diligence and vetting process. Access to acquired zero-day research is highly restricted and is limited to a very small number of institutional clients.

How is the acquired security research used by Zerodium?

Zerodium reviews, tests, validates, and documents all acquired vulnerability research then provides it to institutional clients as part of the Zerodium Zero-Day Research Feed.

Who are Zerodium's customers?

Zerodium customers are government organizations (mainly from Europe and North America) in need of advanced zero-day exploits and cybersecurity capabilities.

At Zerodium we take ethics very seriously and we choose our customers very carefully through a very strict due diligence and vetting process. Access to acquired zero-day research is highly restricted and is limited to a very small number of government clients.

Furthermore, Zerodium does not have any sales partners or resellers, meaning that our solutions are only available through our direct sales channel.

Is Zerodium hiring security researchers?

Zerodium is often looking for experienced vulnerability researchers to join our internal zero-day research team. Zerodium offers unique opportunities to work on advanced vulnerability research projects in an environment that recognizes and rewards great talent and work. Please contact us to discuss employment opportunities.