ZERODIUM
ZERODIUM pays premium rewards to security researchers to acquire their original and previously unreported zero-day exploits affecting major operating systems, software, and/or devices. While the majority of existing bug bounty programs accept almost any kind of vulnerabilities and PoCs but pay lower rewards, at ZERODIUM we focus on high-risk vulnerabilities with fully functional exploits, and we pay the highest rewards on the market.
Eligible Research
ZERODIUM may make an offer to acquire fully functional zero-day exploits affecting the following products:
Operating Systems
Remote code execution or local privilege escalation:
- Microsoft Windows 10/8.x/7
- Apple Mac OS X 10.12/10.11
- Linux (Ubuntu, CentOS, Tails)
- VM Guest-to-Host Escape
Web Browsers
Remote code execution, or sandbox bypass/escape (if any), or both:
- Google Chrome (any OS)
- Microsoft Edge / IE 11-10
- Mozilla Firefox / TBB (any OS)
- Apple Safari (Mac OS X / iOS)
Plugins / Readers
Remote code execution, or sandbox bypass/escape (if any), or both:
- Adobe Flash Player (any OS)
- Microsoft Office (Word/Excel)
- Windows Reader App (PDF)
- Adobe PDF Reader (any OS)
Mobiles / Phones
Remote code execution, or privilege escalation, or TEE/TrustZone, or all:
- Apple iOS 10.x
- Android 7.x/6.x
- BlackBerry OS 10
- Windows 10 Mobile
Web Servers & Related
Remote code execution or sensitive information disclosure:
- Apache HTTP Server
- Microsoft IIS 10/8.x/7.x
- nginx web server
- OpenSSL / mod_ssl / PHP
Email Servers & Related
Remote code execution or sensitive information disclosure:
- MS Exchange Server
- Dovecot
- Postfix
- Sendmail
Web Applications
Remote code execution or remote SQL injection:
- WordPress / Joomla / Drupal
- phpBB / vBulletin / MyBB
- IP.Suite / IP.Board
- Roundcube / Horde
Others / Techniques
Any other innovative research or techniques related to:
- Mitigation Bypass (e.g. ASLR)
- Mobile Baseband RCE
- Tor De-anonymization
- AntiVirus RCE/LPE
NOTE: For vulnerabilities affecting other products or systems, feel free to contact us to discuss the opportunity.
ZERODIUM Payouts
ZERODIUM payouts for eligible zero-day exploits range from $5,000 to $1,500,000 per submission. The amounts paid by ZERODIUM to researchers to acquire their original zero-day exploits depend on the popularity and security strength of the affected software, as well as the quality of the submitted exploit (full or partial chain, reliability, supported versions/systems/architectures, bypassed exploit mitigations, limitations, process continuation, etc). For more information about our zero-day acquisition program, please read our FAQ.
The payout ranges listed below are provided for information only and are intended for fully functional/reliable exploits meeting ZERODIUM's requirements. ZERODIUM may pay higher rewards for exceptional exploits or research.
Price List Changelog
Changes of Sep. 29, 2016
| Product / Exploit Type | New Price | Previous Price |
| Apple iOS 10 (Remote Jailbreak) | $1,500,000 | $500,000 |
| Android 7 (Remote Jailbreak) | $200,000 | $100,000 |
| Flash (RCE) + Sandbox Escape | $100,000 | $80,000 |
| MS Edge + IE (RCE) + Sandbox Escape | $80,000 | $50,000 |
| Safari on Mac (RCE) + Sandbox Escape | $80,000 | $50,000 |
| OpenSSL or PHP (RCE) | $50,000 | $40,000 |
| MS Windows Reader App (RCE) | $50,000 | $30,000 |
| MS Office Word/Excel (RCE) | $40,000 | $30,000 |
Submission Process
ZERODIUM evaluates and verifies all submitted research within one week or less. Payments are made by wire transfer within one week or less. For more information, please read our FAQ.
ZERODIUM reserves the right, at its sole discretion, to make or to not make an offer to acquire a research for any/no reason.
For inquiries and/or vulnerability submissions, please contact us using our PGP key.
Excluded Research
ZERODIUM does not acquire PoCs for theoretically exploitable or non-exploitable vulnerabilities. We only acquire zero-day vulnerabilities with fully functional exploits whether including only one stage or multiple stages e.g. browser exploits with or without a sandbox bypass/escape are both eligible. For more information, please read our FAQ.
ZERODIUM does not acquire vulnerabilities or exploits affecting online services or web sites such as Facebook, Google, Apple, etc. Please report such vulnerabilities directly to the affected vendor or through one of their bug bounty programs (if any).