Program Overview

ZERODIUM is the leading exploit acquisition platform for premium zero-days and advanced cybersecurity capabilities. We pay BIG bounties to security researchers to acquire their original and previously unreported zero-day research. While the majority of existing bug bounty programs accept almost any kind of vulnerabilities and PoCs but pay very low rewards, at ZERODIUM we focus on high-risk vulnerabilities with fully functional exploits and we pay the highest rewards (up to $2,000,000 per submission).

Eligible Research

ZERODIUM is currently acquiring zero-day exploits and innovative security research related to the following products:

    Operating Systems

Remote code execution or local privilege escalation:

- Microsoft Windows 10/8.1/Servers

- Apple macOS Mojave / High Sierra

- Linux / BSD (CentOS/Ubuntu/etc)

- VM Escape (VMware ESXi or Wrks)

    Web Browsers

Remote code execution, or sandbox bypass/escape, or both:

- Google Chrome

- Microsoft Edge

- Mozilla Firefox / Tor Browser

- Apple Safari

    Clients / Files

Remote code execution or sensitive information disclosure:

- MS Office (Word/Excel/PowerPoint)

- PDF Readers (Adobe / Foxit)

- Email Clients (Outlook/Thunderbird)

- File Archivers (WinRAR/7-Zip/WinZip)

    Mobiles / Smartphones

Remote code execution, or privilege escalation, or any other exploit type:

- Apple iOS 12.x

- Android 9.x / 8.x

- BlackBerry 10

- Windows 10 Mobile

    Web Servers

Remote code execution or sensitive information disclosure:

- Apache HTTP Server

- Microsoft IIS Server

- nginx web server


- OpenSSL / mod_ssl

    Email Servers

Remote code execution or sensitive information disclosure:

- MS Exchange

- Dovecot

- Postfix

- Exim

- Sendmail

    WebApps / Panels

Remote code execution, or SQL injection, or information disclosure:

- cPanel / Plesk / Webmin

- WordPress / Joomla / Drupal

- vBulletin / MyBB / phpBB

- IPS Suite / IP.Board

- Roundcube / Horde

    Research / Techniques

Any other security research, exploit, or technique related to:

- WiFi / Baseband RCE

- Routers / IoT RCE

- AntiVirus RCE/LPE

- Tor De-anonymization

- Mitigations Bypass

    Eligible Mobile Brands

Apple, Google, Samsung, LG, Huawei, Sony, HTC, Xiaomi, Acer, Asus, Vivo, Motorola, Lenovo, OPPO, BlackBerry, Vertu, ZTE, BBK, and Gionee.

    Eligible Linux/BSD Distributions

CentOS, Fedora, Red Hat Enterprise Linux, Ubuntu, Debian, Tails, NetBSD, OpenBSD, and FreeBSD.

    Eligible Router Brands

ASUS, Cisco, D-Link, Huawei, Linksys, MikroTik, Netgear, TP-Link, and Ubiquiti.

NOTE: If you have zero-day exploits for other products or systems not listed above, feel free to submit minimal details and we will be glad to discuss the opportunity.


ZERODIUM payouts for eligible zero-day exploits range from $2,000 to $2,000,000 per submission. The amounts paid by ZERODIUM to researchers to acquire their original zero-day exploits depend on the popularity and security level of the affected software/system, as well as the quality of the submitted exploit (full or partial chain, supported versions/systems/architectures, reliability, bypassed exploit mitigations, default vs. non-default components, process continuation, etc). For more information, please read our FAQ.

The payout ranges listed below are provided for information only and are intended for fully functional/reliable exploits meeting ZERODIUM's highest requirements. ZERODIUM may pay even higher rewards for exceptional exploits and research.

New Payouts Highlights

Jan. 7, 2019 - Payouts for the majority of Desktops/Servers and Mobile exploits have been increased. Major changes are highlighted below:

Modification Details
Increased Payouts
$2,000,000 - Apple iOS remote jailbreak (Zero Click) with persistence (previously: $1,500,000)
$1,500,000 - Apple iOS remote jailbreak (One Click) with persistence (previously: $1,000,000)
$1,000,000 - WhatsApp, iMessage, or SMS/MMS remote code execution (previously: $500,000)
   $500,000 - Chrome RCE + LPE (Android) including a sandbox escape (previously: $200,000)
   $500,000 - Safari + LPE (iOS) including a sandbox escape (previously: $200,000)
   $200,000 - Local privilege escalation to either kernel or root for Android or iOS (previously: $100,000)
   $100,000 - Local pin/passcode or Touch ID bypass for Android or iOS (previously: $15,000)

NOTE: Payouts were also increased for other products including: RCE via documents/medias, RCE via MitM, ASLR or kASLR bypass, information disclosure, etc.
Increased Payouts
$1,000,000 - Windows RCE (Zero Click) e.g. via SMB or RDP packets (previously: $500,000)
   $500,000 - Chrome RCE + SBX (Windows) including a sandbox escape (previously: $250,000)
   $500,000 - Apache or MS IIS RCE i.e. remote exploits via HTTP(S) requests (previously: $250,000)
   $250,000 - Outlook RCE i.e. remote exploits via a malicious email (previously: $150,000)
   $250,000 - PHP or OpenSSL RCE (previously: $150,000)
   $250,000 - MS Exchange Server RCE (previously: $150,000)
   $200,000 - VMWare ESXi VM Escape i.e. guest-to-host escape (previously: $100,000)
     $80,000 - Windows local privilege escalation or sandbox escape (previously: $50,000)

NOTE: Payouts were also increased for other products including: Thunderbird, VMWare Workstation, Plesk, cPanel, Webmin, WordPress, 7-Zip, WinRAR, etc.

Submission Process

ZERODIUM evaluates and verifies all submitted research within one week or less. Payments are made in one or multiple installments by wire transfer or crypto-currencies such as Bitcoin or Monero. The first payment is sent within one week or less.

For inquiries and/or exploit submissions, please contact us.