ZERODIUM acquires zero-day vulnerabilities with fully functional exploits only. We do not acquire PoCs for theoretically exploitable or non-exploitable vulnerabilities. For more information, please read our Program and FAQ sections.
To receive a pre-offer or to submit your zero-day research and/or exploit, please send an encrypted email and attach your public PGP key to: using our PGP key.
Minimal Technical Details Required (to receive a pre-offer):
- Targeted software name(s)
- Targeted software version(s) + architecture (32bit, 64bit, or both)
- Targeted OS version(s) + architecture (32bit, 64bit, or both)
- Vulnerability type/class (e.g. memory corruption, race condition, etc)
- Attack scenario/vector (e.g. visit a web page, open a doc, etc)
- Success rate of the exploit (100% or less)
- Time of execution of the exploit (X seconds)
- Is the exploit working with default installations (yes/no)
- Is the exploit requiring any special setting/config (explain)
- Is the exploit requiring any user interaction (explain)
- Is the exploit requiring any specific user privilege (explain)
- Any additional information, limitations, or requirements
- Your nationality and country of residence (for payment purposes)
- Your public PGP key (if you have one)
Full Technical Details Required (after you receive & accept the pre-offer):
- All minimal details listed above plus;
- Fully functional exploit with commented source code
- Technical analysis of all utilized vulnerabilities (analysis of root cause(s), attack vector(s), exploitation method(s) and technique(s))
- Instructions to prepare, adapt, compile, and use the exploit
ZERODIUM reserves the right, at its sole discretion, to make or to not make an offer to acquire a vulnerability for any/no reason.
ZERODIUM evaluates and verifies all submitted research within one week or less. Payments are made in one or multiple installments by wire transfer or using crypto-currencies e.g. Bitcoin. The first payment is sent within one week or less. For more information, please read our FAQ.