Program Overview

ZERODIUM is the leading exploit acquisition platform for premium zero-days and advanced cybersecurity capabilities. We pay BIG bounties to security researchers to acquire their original and previously unreported zero-day research. While the majority of existing bug bounty programs accept almost any kind of vulnerabilities and PoCs but pay very low rewards, at ZERODIUM we focus on high-risk vulnerabilities with fully functional exploits and we pay the highest rewards (up to $2,000,000 per submission).


Eligible Research

ZERODIUM is currently acquiring zero-day exploits and innovative security research related to the following products:

    Operating Systems

Remote code execution or local privilege escalation:


- Microsoft Windows 10/8.1/Servers

- Apple macOS Mojave / High Sierra

- Linux / BSD (CentOS/Ubuntu/etc)

- VM Escape (VMware ESXi or Wrks)

    Web Browsers

Remote code execution, or sandbox bypass/escape, or both:


- Google Chrome

- Microsoft Edge

- Mozilla Firefox / Tor Browser

- Apple Safari

    Clients / Files

Remote code execution or sensitive information disclosure:


- MS Office (Word/Excel/PowerPoint)

- PDF Readers (Adobe / Foxit)

- Email Clients (Outlook/Thunderbird)

- File Archivers (WinRAR/7-Zip/WinZip)

    Mobiles / Smartphones

Remote code execution, or privilege escalation, or any other exploit type:


- Apple iOS 12.x

- Android 9.x / 8.x

- BlackBerry 10

- Windows 10 Mobile

    Web Servers

Remote code execution or sensitive information disclosure:


- Apache HTTP Server

- Microsoft IIS Server

- nginx web server

- PHP / ASP

- OpenSSL / mod_ssl

    Email Servers

Remote code execution or sensitive information disclosure:


- MS Exchange

- Dovecot

- Postfix

- Exim

- Sendmail

    WebApps / Panels

Remote code execution, or SQL injection, or information disclosure:


- cPanel / Plesk / Webmin

- WordPress / Joomla / Drupal

- vBulletin / MyBB / phpBB

- IPS Suite / IP.Board

- Roundcube / Horde

    Research / Techniques

Any other security research, exploit, or technique related to:


- WiFi / Baseband RCE

- Routers / IoT RCE

- AntiVirus RCE/LPE

- Tor De-anonymization

- Mitigations Bypass

    Eligible Mobile Brands

Apple, Google, Samsung, LG, Huawei, Sony, HTC, Xiaomi, Acer, Asus, Vivo, Motorola, Lenovo, OPPO, BlackBerry, Vertu, ZTE, BBK, and Gionee.

    Eligible Linux/BSD Distributions

CentOS, Fedora, Red Hat Enterprise Linux, Ubuntu, Debian, Tails, NetBSD, OpenBSD, and FreeBSD.

    Eligible Router Brands

ASUS, Cisco, D-Link, Huawei, Linksys, MikroTik, Netgear, TP-Link, and Ubiquiti.

NOTE: If you have zero-day exploits for other products or systems not listed above, feel free to submit minimal details and we will be glad to discuss the opportunity.


ZERODIUM Payouts

ZERODIUM payouts for eligible zero-day exploits range from $2,000 to $2,000,000 per submission. The amounts paid by ZERODIUM to researchers to acquire their original zero-day exploits depend on the popularity and security level of the affected software/system, as well as the quality of the submitted exploit (full or partial chain, supported versions/systems/architectures, reliability, bypassed exploit mitigations, default vs. non-default components, process continuation, etc). For more information, please read our FAQ.

The payout ranges listed below are provided for information only and are intended for fully functional/reliable exploits meeting ZERODIUM's highest requirements. ZERODIUM may pay even higher rewards for exceptional exploits and research.

New Payouts Highlights

Jan. 7, 2019 - Payouts for the majority of Desktops/Servers and Mobile exploits have been increased. Major changes are highlighted below:

Modification Details
Increased Payouts
(Mobiles)
$2,000,000 - Apple iOS remote jailbreak (Zero Click) with persistence (previously: $1,500,000)
$1,500,000 - Apple iOS remote jailbreak (One Click) with persistence (previously: $1,000,000)
$1,000,000 - WhatsApp, iMessage, or SMS/MMS remote code execution (previously: $500,000)
   $500,000 - Chrome RCE + LPE (Android) including a sandbox escape (previously: $200,000)
   $500,000 - Safari + LPE (iOS) including a sandbox escape (previously: $200,000)
   $200,000 - Local privilege escalation to either kernel or root for Android or iOS (previously: $100,000)
   $100,000 - Local pin/passcode or Touch ID bypass for Android or iOS (previously: $15,000)

NOTE: Payouts were also increased for other products including: RCE via documents/medias, RCE via MitM, ASLR or kASLR bypass, information disclosure, etc.
Increased Payouts
(Servers/Desktops)
$1,000,000 - Windows RCE (Zero Click) e.g. via SMB or RDP packets (previously: $500,000)
   $500,000 - Chrome RCE + SBX (Windows) including a sandbox escape (previously: $250,000)
   $500,000 - Apache or MS IIS RCE i.e. remote exploits via HTTP(S) requests (previously: $250,000)
   $250,000 - Outlook RCE i.e. remote exploits via a malicious email (previously: $150,000)
   $250,000 - PHP or OpenSSL RCE (previously: $150,000)
   $250,000 - MS Exchange Server RCE (previously: $150,000)
   $200,000 - VMWare ESXi VM Escape i.e. guest-to-host escape (previously: $100,000)
     $80,000 - Windows local privilege escalation or sandbox escape (previously: $50,000)

NOTE: Payouts were also increased for other products including: Thunderbird, VMWare Workstation, Plesk, cPanel, Webmin, WordPress, 7-Zip, WinRAR, etc.






Submission Process

ZERODIUM evaluates and verifies all submitted research within one week or less. Payments are made in one or multiple installments by wire transfer or crypto-currencies such as Bitcoin or Monero. The first payment is sent within one week or less.

For inquiries and/or exploit submissions, please contact us.