ZERODIUM is the world's leading exploit acquisition platform for premium zero-days and advanced cybersecurity research. Founded by cybersecurity veterans with unparalleled experience in zero-day research and exploitation, ZERODIUM constitutes a global community of talented and independent security researchers working together to provide the most up-to-date source of cybersecurity capabilities. ZERODIUM pays the highest bounties on the market to reward researchers and acquire their zero-day discoveries. We believe that this is the only way to support independent researchers and capture the most advanced security research from all around the globe.

What is the difference between ZERODIUM and other programs?

The majority of existing vulnerability acquisition programs focus on quantity instead of quality hence they usually acquire any kind of vulnerabilities or PoCs but pay researchers very low rewards. ZERODIUM pays much higher rewards as we only focus on and acquire high-risk vulnerabilities with fully functional/reliable exploits affecting modern operating systems, software, and devices.

Furthermore, at ZERODIUM we take ethics very seriously and we chose our customers very carefully, which means that access to your exploits will be highly restricted and limited to a very small number of institutional customers.

Who can participate in the ZERODIUM program?

Researchers from most countries can participate in the ZERODIUM program, however, if you are a citizen/resident of a country listed on US/UN sanctions lists, you may not be eligible to participate to the program. Please contact us to discuss your situation.

How to receive a pre-offer from ZERODIUM before I submit my full research?

To receive a pre-offer for your research, you can submit minimal details about your exploit (without submitting the exploit). ZERODIUM will evaluate the minimal details and will eventually confirm its interest and send you a pre-offer.

How to submit my research to ZERODIUM?

All submissions to ZERODIUM must be made by PGP encrypted emails. Visit our submit page for more information.

Submissions can be made in any format as long as all the supplied files and/or messages are PGP encrypted. All submissions must include: a fully functional exploit with source code (if any), a technical analysis including a description of the root cause of the bug(s) and exploitation method(s), required configuration (if non-default), and any other information necessary to evaluate your submission.

You can install and use PGP on Windows, Mac, and Linux.

Which products and/or software are eligible?

ZERODIUM acquires vulnerability research and exploits affecting recent operating systems, software, and devices. Please read the Program section for a list of potentially eligible products.

Which vulnerability/exploit types are eligible?

We acquire high-risk flaws accompanied by a fully functional and reliable exploit leading to arbitrary code execution, or privilege escalation, or sandbox bypass/escape, or sensitive information disclosure, and also many other types of bugs. Please check the Program section for a list of eligible vulnerability types.

What about exploitation techniques or mitigation bypass?

We will be glad to discuss, evaluate, and make an offer not only for a vulnerability/exploit but also for any innovative research, exploitation technique, or mitigation bypass. Please contact us to discuss your findings.

What about vulnerabilities affecting websites?

ZERODIUM does not acquire vulnerabilities or exploits affecting web sites such as Facebook, Google, etc. Please report such vulnerabilities directly to the affected vendor or through their bug bounty program (if any).

Are partial exploits (e.g. browser RCE w/o sandbox bypass/escape, and vice versa) eligible?

Yes, both partial or complete exploit chains are eligible. We acquire both full chains of zero-day exploits but also N stage exploits (e.g. a browser RCE without any sandbox escape/bypass, or a sandbox escape/bypass alone without any client-side exploit) as long as the vulnerability is exploitable and falls within our scope of acquisitions.

Are theoretically-exploitable vulnerabilities (e.g. PoC/Crash file for a memory corruption) eligible?

Not eligible. We only acquire vulnerabilities proven to be exploitable i.e. accompanied by a fully functional exploit working with the latest/updated version of the affected software/system/device. Feel free to contact us if you think that your vulnerability may still be eligible.

How to increase the potential reward/payment for my vulnerability?

ZERODIUM will make a final offer to acquire your research once your submission is fully evaluated. The offer will mostly depend on the technical quality of your submission (affected product(s), vulnerability type, criticality, attack vector, default vs non-default configuration, etc) but also on the quality of your exploit (reliability, bypassed exploit mitigations, covered versions/systems/platforms, process continuation, user interaction, etc).

What happens after accepting an acquisition offer from ZERODIUM?

After evaluating and approving the research, ZERODIUM will send you the final acquisition offer and the agreement to sign.

By signing the agreement, you will accept an exclusive sale of your research to ZERODIUM and transfer all related intellectual property rights to us, meaning that the research becomes the exclusive property of ZERODIUM and you are not allowed to re-sell, share, publish, or report the research to any other person or entity.

Which payment methods and/or bonuses are available?

Acquisitions made by ZERODIUM are usually paid by bank transfers. We can also pay using Bitcoin, Monero or any other major cryptocurrency.

ZERODIUM pays all bounties and bonuses in multiple installments to ensure that the research will meet a minimum lifespan requirement.

What about the privacy and confidentiality of researchers information?

For payments purposes, ZERODIUM requires researchers to provide their personal information. ZERODIUM takes the privacy of researchers very seriously and does not disclose, to any third party (including to customers), any personal information about researchers including names, aliases, email addresses, bank details, or any other personal or confidential information. ZERODIUM also restricts internal access to your personal data on a need-to-know basis and uses the information for the sole purpose of processing payments.

How the acquired security research is used by ZERODIUM?

ZERODIUM extensively tests, analyzes, validates, and documents all acquired vulnerability research and reports it, along with protective measures and security recommendations, solely to its clients subscribing to the ZERODIUM Zero-Day Research Feed.

Who are ZERODIUM's customers?

ZERODIUM customers are government organizations (mostly from Europe and North America) in need of advanced zero-day exploits and cybersecurity capabilities.

At ZERODIUM we take ethics very seriously and we chose our customers very carefully, which means that access to your exploits will be highly restricted and limited to a very small number of institutional customers. Furthermore, ZERODIUM does not have any sales partner or reseller, our solutions are only available through our direct channel.

Is ZERODIUM hiring security researchers and/or reverse engineers?

ZERODIUM is often looking for experienced zero-day vulnerability researchers to join our internal research team. ZERODIUM offers unique opportunities to work on advanced vulnerability research projects in an environment that recognizes and rewards great talent and work.

Please check our Careers section for a list of employment opportunities.