Any company or individual can submit zero-day research and participate in the Zerodium program unless
they are citizens/residents of countries listed on US/UN sanctions lists. Please contact us
to discuss your specific situation.
Yes. You can receive a pre-offer for your research without disclosing it. Simply submit
minimal technical details without submitting the exploit itself and without disclosing full details of the bug(s). Zerodium will evaluate the minimal details and send you a pre-offer if the research meets our requirements. The offer will be confirmed after we review and approve the full research.
Our submission process is very simple and straightforward. All research and exploits must be sent to Zerodium using PGP encrypted emails. Visit our submit
page for more information.
Submissions can be in any format as long as all the supplied files and/or messages are PGP encrypted. All submissions must include: a fully functional exploit with source code (if any), a technical analysis including a description of the root cause of the bug(s) and exploitation method(s), required configuration and limitations, and any other information necessary to evaluate your submission.
You can install and use PGP on Windows
, and Linux
Zerodium acquires vulnerability research and exploits affecting recent operating systems, software, and devices. Please check the Bounties
section for a list of eligible products.
We acquire high-risk vulnerabilities accompanied by a fully functional and reliable exploit. Please check the Bounties
section for a list of eligible exploits.
We will be glad to discuss and make offers not only for zero-day exploits but also for innovative research, exploitation techniques, or a mitigation bypass. Please contact us
to discuss your findings.
Yes. We can acquire either individual exploits (e.g. a browser RCE without any sandbox escape, or a sandbox escape alone without any browser exploit) or chained/combined exploits.
No. We only acquire vulnerabilities proven to be exploitable and accompanied by a fully functional exploit working with the latest stable/beta/dev/nightly versions of the affected software/system/device. Feel free to contact us
if you think that your research may still be eligible.
The final offer sent by Zerodium to acquire your research, after your submission is fully reviewed and validated, will depend on the scope of the bug(s) (affected products, criticality, attack vector, required configuration, user interaction, limitations, etc) but also on the quality of the exploit (reliability, bypassed exploit mitigations, covered versions/systems/platforms, process continuation, no hardcoded offsets or ROP, etc).
After reviewing and approving the research, Zerodium will send you the final acquisition offer and the agreement by email.
By signing the agreement, you accept the exclusive sale of your research to Zerodium and full transfer of all related intellectual property rights to us, meaning that the research becomes the exclusive property of Zerodium and you are not allowed to re-sell, share, publish, or report the research to any other person or entity at any time.
Zerodium usually pays researchers through international bank transfers. We can also pay using cryptocurrencies including Bitcoin, Monero and Zcash.
Zerodium pays all bounties and bonuses in multiple installments to ensure that the research will meet a minimum lifespan requirement.
Zerodium takes the privacy of researchers very seriously and does not disclose, to any third party (including to customers), any personal information about researchers such as names, aliases, email addresses, bank details, or any other personal or confidential information.
Zerodium even restricts internal access to your personal data on a need-to-know basis and uses your personal information for the sole purpose of processing payments.