Frequently Asked Questions

About Bounties

Who can participate in the Zerodium program and submit exploits?

Any company or individual can submit zero-day research and participate in the Zerodium program unless they are citizens/residents of countries listed on US/UN sanctions lists. Please contact us to discuss your specific situation.

Can I receive a pre-offer from Zerodium before I submit my full research?

Yes. You can receive a pre-offer for your research without disclosing it. Simply submit minimal technical details without submitting the exploit itself and without disclosing full details of the bug(s). Zerodium will evaluate the minimal details and send you a pre-offer if the research meets our requirements. The offer will be confirmed after we review and approve the full research.

How to submit my zero-day research to Zerodium?

Our submission process is very simple and straightforward. All research and exploits must be sent to Zerodium using PGP encrypted emails. Visit our submit page for more information.

Submissions can be in any format as long as all the supplied files and/or messages are PGP encrypted. All submissions must include: a fully functional exploit with source code (if any), a technical analysis including a description of the root cause of the bug(s) and exploitation method(s), required configuration and limitations, and any other information necessary to evaluate your submission.

You can install and use PGP on Windows, Mac, and Linux.

Which products and/or software are eligible?

Zerodium acquires vulnerability research and exploits affecting recent operating systems, software, and devices. Please check the Bounties section for a list of eligible products.

Which vulnerability/exploit types are eligible?

We acquire high-risk vulnerabilities accompanied by a fully functional and reliable exploit. Please check the Bounties section for a list of eligible exploits.

Do you also acquire techniques or mitigation bypass?

We will be glad to discuss and make offers not only for zero-day exploits but also for innovative research, exploitation techniques, or a mitigation bypass. Please contact us to discuss your findings.

Are partial exploits (e.g. browser RCE w/o sandbox escape) eligible?

Yes. We can acquire either individual exploits (e.g. a browser RCE without any sandbox escape, or a sandbox escape alone without any browser exploit) or chained/combined exploits.

Are theoretically exploitable bugs (e.g. PoC/crash/trigger only) eligible?

No. We only acquire vulnerabilities proven to be exploitable and accompanied by a fully functional exploit working with the latest stable/beta/dev/nightly versions of the affected software/system/device. Feel free to contact us if you think that your research may still be eligible.

How to increase the potential bounty/reward for my research?

The final offer sent by Zerodium to acquire your research, after your submission is fully reviewed and validated, will depend on the scope of the bug(s) (affected products, criticality, attack vector, required configuration, user interaction, limitations, etc) but also on the quality of the exploit (reliability, bypassed exploit mitigations, covered versions/systems/platforms, process continuation, no hardcoded offsets or ROP, etc).

What happens after accepting an acquisition offer from Zerodium?

After reviewing and approving the research, Zerodium will send you the final acquisition offer and the agreement by email.

By signing the agreement, you accept the exclusive sale of your research to Zerodium and full transfer of all related intellectual property rights to us, meaning that the research becomes the exclusive property of Zerodium and you are not allowed to re-sell, share, publish, or report the research to any other person or entity at any time.

Which payment methods and bonuses are available?

Zerodium usually pays researchers through international bank transfers. We can also pay using cryptocurrencies including Bitcoin, Monero and Zcash.

Zerodium pays all bounties and bonuses in multiple installments to ensure that the research will meet a minimum lifespan requirement.

How do you protect the privacy and confidentiality of researcher information?

Zerodium takes the privacy of researchers very seriously and does not disclose, to any third party (including to customers), any personal information about researchers such as names, aliases, email addresses, bank details, or any other personal or confidential information.

Zerodium even restricts internal access to your personal data on a need-to-know basis and uses your personal information for the sole purpose of processing payments.

About Zerodium

What is Zerodium?

Zerodium is the world's leading exploit acquisition platform for premium zero-days and advanced cybersecurity research.

Founded in 2015 by cybersecurity veterans with unparalleled experience in zero-day research and exploitation, Zerodium is now a global community of independent security researchers working together to provide the most powerful cybersecurity capabilities to institutional clients.

Zerodium pays the highest bounties in the market to reward researchers and acquire their zero-days. We believe that this is the only way to support the zero-day research community and capture the most advanced and innovative research from all around the world.

What is the difference between Zerodium and other bug bounty programs?

The majority of existing vulnerability acquisition platforms focus on quantity rather than quality hence they usually acquire any kind of vulnerabilities or PoCs but pay very low rewards. Zerodium pays much higher bounties as we only focus on acquiring high-risk vulnerabilities with fully functional/reliable exploits.

Furthermore, Zerodium acquisition process and payments are simple, straightforward, and very fast (the whole submission processing and payment is usually completed within a week or less).

Finally, at Zerodium we take ethics very seriously and we choose our customers very carefully through a very strict due diligence and vetting process. Access to acquired zero-day research is highly restricted and is limited to a very small number of institutional clients.

How is the acquired security research used by Zerodium?

Zerodium reviews, tests, validates, and documents all acquired vulnerability research then provides it to institutional clients as part of the Zerodium Zero-Day Research Feed.

Who are Zerodium's customers?

Zerodium customers are government institutions (mainly from Europe and North America) in need of advanced zero-day exploits and cybersecurity capabilities.

At Zerodium we take ethics very seriously and we choose our customers very carefully through a very strict due diligence and vetting process. Access to acquired zero-day research is highly restricted and is limited to a very small number of government clients.

Furthermore, Zerodium does not have any sales partners or resellers, meaning that our solutions are only available through our direct sales channel.

Is Zerodium hiring security researchers?

Zerodium is often looking for experienced vulnerability researchers to join our internal zero-day research team. Zerodium offers unique opportunities to work on advanced vulnerability research projects in an environment that recognizes and rewards great talent and work. Please contact us to discuss employment opportunities.