What is ZERODIUM?

ZERODIUM is a cybersecurity company with operations in North America and EMEA, founded by cybersecurity veterans with unparalleled experience in advanced vulnerability research and exploitation. ZERODIUM constitutes a global community of talented and independent security researchers working together to provide the most up-to-date source of cybersecurity research and capabilities. ZERODIUM pays the highest bounties on the market to reward researchers and acquire their zero-day discoveries. We believe that this is the only way to support independent researchers and capture the most advanced security research from all around the globe.

What is the difference between ZERODIUM and other programs?

The majority of existing vulnerability acquisition programs focus on quantity instead of quality hence they usually acquire any kind of vulnerabilities or PoCs but pay researchers very low rewards. ZERODIUM pays much higher rewards as we only focus on and acquire high-risk vulnerabilities with fully functional/reliable exploits affecting modern operating systems, software, and devices.

Who can participate in the ZERODIUM program?

Researchers from most countries can participate in the ZERODIUM program, however, if you are a citizen/resident of a country listed on US/UN sanctions lists, you are not eligible to participate to the program.

How to receive a pre-offer from ZERODIUM before I submit my full research?

To receive a pre-offer for your research, you can submit minimal details about your exploit (without submitting the exploit). ZERODIUM will evaluate the minimal details, and will eventually confirm its interest and send you a pre-offer.

Minimal Technical Details Required:

- Targeted software name(s)
- Targeted software version(s) + architecture (x86, x64, or both)
- Targeted OS version(s) + architecture (x86, x64, wow64, or all)
- Vulnerability type/class (e.g. memory corruption, race condition, etc)
- Attack scenario/vector (e.g. visit a web page, open a doc, etc)
- Success rate of the exploit (100% or less)
- Time of execution of the exploit (X seconds)
- Is the exploit working with default installations
- Is the exploit requiring any special setting/config (specify)
- Is the exploit requiring any user interaction (specify)
- Is the exploit requiring any specific user privilege (specify)
- Any additional information, limitations, or requirements
- Your public PGP key (if you have one).

How to submit my research to ZERODIUM?

All submissions to ZERODIUM must be made by PGP encrypted emails. Visit our submit page for more information.

You can install/use PGP on various platforms including: Windows, Mac, and Linux.

What format should my vulnerability submission be in?

Submissions can be made in any format as long as all the supplied files and/or messages are PGP encrypted. All submissions must include: a fully functional exploit with source code (if any), a technical analysis of the vulnerability including a description of the root cause of the flaw, attack vectors, exploitation technique(s), required configuration (if non-default), and any other information necessary to evaluate your submission.

You can install and use PGP on Windows, Mac, and Linux.

Which products and/or software are eligible?

ZERODIUM acquires vulnerability research and exploits affecting recent operating systems, software, and devices. Please read the Program section for a list of potentially eligible products.

Which vulnerability/exploit types are eligible?

We acquire high-risk flaws accompanied by a fully functional and reliable exploit leading to arbitrary code execution, or privilege escalation, or sandbox bypass/escape, or sensitive information disclosure, and also many other types of bugs. Please read the Program section for a list of eligible vulnerability types.

What about exploitation techniques or mitigation bypass?

We will be glad to discuss, evaluate, and make an offer not only for a vulnerability/exploit but also for any innovative research, exploitation technique, or mitigation bypass. Please contact us to discuss your findings.

What about vulnerabilities affecting online services/websites?

ZERODIUM does not acquire vulnerabilities or exploits affecting online services or web sites such as Facebook, Google, etc. Please report such vulnerabilities directly to the affected vendor or through one of their bug bounty programs.

Are partial exploits (e.g. browser RCE w/o sandbox bypass/escape, and vice versa) eligible?

Yes, both partial or complete exploit chains are eligible. We acquire both full chains of zero-day exploits but also N stage exploits (e.g. a browser RCE without any sandbox escape/bypass, and also a sandbox escape/bypass or a privilege escalation alone without any client-side exploit) as far as the vulnerability is exploitable and falls within our scope of acquisitions.

Are theoretically-exploitable vulnerabilities (e.g. PoC/Crash file for a memory corruption) eligible?

Not eligible. For memory corruption vulnerabilities, we only acquire vulnerabilities proven to be exploitable i.e. accompanied by a fully functional exploit working with the latest/updated version of the affected software/system/device. Feel free to contact us if you think that your vulnerability may still be eligible.

How to increase the potential reward/payment for my vulnerability?

ZERODIUM will make an offer to acquire your research once your submission is fully evaluated. The offer will mostly depend on the technical quality of your submission (affected product(s), vulnerability type, criticality, attack vector, default vs non-default configuration, etc) but also on the quality of your exploit (reliability, bypassed exploit-mitigations, covered versions/systems/platforms, process continuation, user interaction, etc).

Which payment methods and/or bonuses are available?

Acquisitions made by ZERODIUM are usually paid by bank/wire transfers. Payments can also be made using Bitcoins (in specific cases only).

ZERODIUM pays all rewards in one or multiple installments and may pay additional bonuses if the research meets specific lifespan requirements.

If you, your bank, or your country are/is on US/UN sanctions lists, you are not eligible to participate to the program or receive payments.

What about the privacy and confidentiality of researchers information?

ZERODIUM takes the privacy of researchers very seriously and does not disclosure to any third party (including to customers) any personal information about researchers such as names, aliases, email addresses, bank details, or any other personal or confidential information.

ZERODIUM also restricts internal access to your personal data on a need-to-know basis and uses the information for the sole purpose of processing payments.

How the acquired security research is used by ZERODIUM?

ZERODIUM extensively tests, analyzes, validates, and documents all acquired vulnerability research and reports it, along with protective measures and security recommendations, solely to its clients as part of the ZERODIUM Zero-Day Research Feed.

Who are ZERODIUM's customers?

ZERODIUM customers are mainly government organizations in need of specific and tailored cybersecurity capabilities, as well as major corporations from defense, technology, and financial sectors, in need of protective solutions to defend against zero-day attacks.

Access to ZERODIUM solutions and capabilities is highly restricted and is only available to a very limited number of organizations.

Is ZERODIUM hiring security researchers and/or reverse engineers?

ZERODIUM is often looking for experienced zero-day vulnerability researchers to join our internal research team. ZERODIUM offers unique opportunities to work on advanced vulnerability research projects in an environment that recognizes and rewards great talent and work.

Please check our Careers section for a list of employment opportunities.