Zerodium Exploit Acquisition Program

Program Overview

Zerodium pays BIG bounties to security researchers to acquire their original and previously unreported zero-day research. While the majority of existing bug bounty programs accept almost any type of vulnerabilities and PoCs but pay very little, at Zerodium we focus on high-risk vulnerabilities with fully functional exploits and we pay the highest rewards in the market (up to $2,500,000 per submission).

Eligible Research

We acquire zero-day exploits and innovative security research related to the following products:

   Operating Systems

Remote code execution or local privilege escalation, or VM escape:

- Microsoft Windows

- Linux / BSD

- Apple macOS

- ESXi / HyperV

   Web Browsers

Remote code execution, or sandbox bypass/escape, or both:

- Google Chrome

- Microsoft Edge

- Mozilla Firefox

- Apple Safari

   Clients / Files

Remote code execution or information disclosure:

- MS Office (Word/Excel)

- MS Outlook / Mail App

- Mozilla Thunderbird

- Archivers (7-Zip/WinRAR/Tar)

   Mobiles / Smartphones

Remote code execution, or privilege escalation, or any other research:

- Apple iOS

- Apple watchOS

- Android

- Windows Mobile

   Web Servers

Remote code execution or information disclosure:

- Apache HTTP Server

- Microsoft IIS Server

- nginx web server


- OpenSSL / mod_ssl

   Email Servers

Remote code execution or information disclosure:

- MS Exchange

- Dovecot

- Postfix

- Exim

- Sendmail

   Web Apps / Panels

Remote code execution or information disclosure:

- cPanel / Plesk / Webmin

- WordPress Core

- Joomla / Drupal

- vBulletin / MyBB / phpBB

- Roundcube / Horde

   Research / Techniques

Research, exploits or new techniques related to:

- WiFi / Baseband RCE

- Routers / IoT RCE

- AntiVirus RCE/LPE

- Tor De-anonymization

- Mitigations Bypass

You can also check our time-limited bounties and/or temporary changes to our payouts.

NOTE: If you have discovered a zero-day exploit affecting a product which is not listed above, feel free to submit minimal details and we will be glad to discuss the opportunity.

Zerodium Payouts

Bounties for eligible zero-day exploits range from $2,500 to $2,500,000 per submission. The amounts paid by Zerodium to researchers to acquire their original zero-day exploits depend on the popularity and security level of the affected software/system, as well as the quality of the submitted exploit (full or partial chain, supported versions/systems/architectures, reliability, bypassed exploit mitigations, default vs. non-default components, process continuation, etc). For more information, please read our FAQ.

The payout ranges listed below are provided for information only and are intended for fully functional/reliable exploits meeting Zerodium's highest requirements. Zerodium may pay even higher rewards for exceptional exploits and research.

Submission Process

Zerodium reviews and validates all submissions within one week or less. Payments are made in one or multiple installments by bank transfer or cryptocurrencies (e.g. Bitcoin, Monero, Zcash). The first payment is sent within one week or less.