To receive a pre-offer or to submit your zero-day research and/or exploit, please send an encrypted email and your public PGP key to: using our PGP key.
Minimal Technical Details Required (to receive a pre-offer):
- Targeted software name(s)
- Targeted software version(s) + architecture (32bit, 64bit, or both)
- Targeted OS version(s) + architecture (32bit, 64bit, or both)
- Vulnerability type/class (e.g. memory corruption, race condition, etc)
- Attack scenario/vector (e.g. visit a web page, open a doc, etc)
- Success rate of the exploit (100% or less)
- Time of execution of the exploit (X seconds)
- Is the exploit working with default installations
- Is the exploit requiring any special setting/config (explain)
- Is the exploit requiring any user interaction (explain)
- Is the exploit requiring any specific user privilege (explain)
- Any additional information, limitations, or requirements
- Your public PGP key (if you have one).
Full Technical Details Required (after you receive & accept the pre-offer):
- All minimal details as listed above plus;
- Fully functional exploit with commented source code
- Technical analysis of all utilized vulnerabilities (analysis of root causes, attack vectors, exploitation method(s) and technique(s))
- All instructions required to prepare, adapt, compile, and use the exploit
ZERODIUM acquires zero-day vulnerabilities with fully functional exploits only. We do not acquire PoCs for theoretically exploitable or non-exploitable vulnerabilities. For more information, please read our Program and FAQ sections.
ZERODIUM reserves the right, at its sole discretion, to make or to not make an offer to acquire a vulnerability for any/no reason.
ZERODIUM evaluates and verifies all submitted research within one week or less. Payments are made in one or multiple installments by wire transfer or using crypto-currencies such as Bitcoin (in specific cases only). The first payment is made within one week or less. For more information, please read our FAQ.