ZERODIUM is a cybersecurity start-up company with operations in North America and EMEA, it was founded by cybersecurity veterans with unparalleled experience in advanced vulnerability research and exploitation. ZERODIUM contributors are from a global community of talented and independent security researchers working together to provide the most up-to-date source of cybersecurity research and capabilities. ZERODIUM pays the highest rewards to researchers for their zero-day discoveries as we believe that this is the only way to capture the most advanced security research from all around the globe.

The majority of existing vulnerability acquisition programs focus on the quantity instead of quality hence they usually acquire any kind of vulnerabilities but pay researchers very low rewards. At ZERODIUM we pay much higher rewards as we only focus on and acquire high-risk vulnerabilities with fully functional/reliable exploits affecting modern operating systems, software, and devices.

Researchers from most countries can participate in the ZERODIUM program, however, if you are a citizen/resident of a country listed on US/UN sanctions lists, you are ineligible to participate to the program.

All submissions to ZERODIUM must be achieved through PGP encrypted emails. Visit our submit page for more information.

We only acquire high-end vulnerability research and exploits affecting modern operating systems, software, and devices. Please read the Program section for a list of potentially eligible products.

We only acquire high-risk flaws accompanied by a fully functional and reliable exploit leading to arbitrary code execution, or privilege escalation, or sandbox bypass/escape, or sensitive information disclosure. Please read the Program section for a list of eligible vulnerability types.

We will be glad to discuss, evaluate, and make an offer not only for a vulnerability/exploit but also for any innovative research, exploitation technique, or mitigation bypass. Please contact us to discuss your findings.

ZERODIUM does not acquire vulnerabilities or exploits affecting online services or web sites such as Facebook, Google, etc. Please report such vulnerabilities directly to the affected vendor or through one of their bug bounty programs.

Yes, both partial or complete exploit chains are eligible. We acquire both full chains of zero-day exploits but also N stage exploits (e.g. a browser RCE without any sandbox escape/bypass, and also a sandbox escape/bypass or a privilege escalation alone without any client-side exploit) as far as the vulnerability is exploitable and falls within our eligibility scope.

Not eligible. For memory corruption vulnerabilities, we only acquire vulnerabilities proven to be exploitable i.e. accompanied by a fully functional exploit working with the latest/updated version of the affected software/system/device. Feel free to contact us if you think that your vulnerability may still be eligible.

Submissions can be made in any format as long as all the supplied files and/or messages are PGP encrypted. All submissions must include: a fully functional exploit with source code (if any), a technical analysis of the vulnerability including a description of the root cause of the flaw, attack vectors, exploitation technique(s), required configuration (if non-default), and any other information necessary to evaluate your submission.

ZERODIUM will make an offer to acquire your research once your submission is fully evaluated. The offer will mostly depend on the technical quality of your submission (affected product(s), vulnerability type, criticality, attack vector, default vs non-default configuration, etc) but also the quality of your exploit (reliability, bypassed exploit-mitigations, covered versions/systems/platforms, process continuation, etc).

ZERODIUM cannot discuss or share any financial information regarding a potential reward/payment before evaluating an acquisition opportunity, but ZERODIUM guarantees to researchers to receive rewards higher than any other bug bounty or software vendor reward on the market including those from Google, Mozilla, Internet Bug Bounty, etc. Please read the Program section for a list of potential payouts.

Any acquisition made by ZERODIUM will be paid in full and in one installment via a bank/wire transfer. ZERODIUM may also pay additional bonuses in one or more installments if the research meets specific lifespan requirements. If you, your bank, or your country are/is on US/UN sanctions lists, you are ineligible to participate to the program or receive payments.

ZERODIUM extensively analyzes and documents all acquired vulnerability research and provides it, along with protective measures and security recommendations, to its clients as part of the ZERODIUM Zero-Day Research Feed.

ZERODIUM customers are major corporations in defense, technology, and finance, in need of advanced zero-day protection, as well as government organizations in need of specific and tailored cybersecurity capabilities.

ZERODIUM is always hiring experienced zero-day vulnerability researchers to join our internal research team. ZERODIUM offers unique opportunities to work on advanced vulnerability research projects in an environment that recognizes and rewards great talent and work.

Please check our Careers section for a list of employment opportunities.