ZERODIUM acquires zero-day vulnerabilities with fully functional exploits only. We do not acquire PoCs for theoretically exploitable or non-exploitable vulnerabilities. For more information, please read our Program and FAQ sections.
To receive a pre-offer or to submit your zero-day research and/or exploit, please send an encrypted email and attach your public PGP key to: using our PGP key.
Important: Please check your spam/junk folder in case our emails are flagged as spam. We usually reply within 1 to 2 business days.
Minimal Technical Details Required (to receive a pre-offer):
- Target software name
- Target software version(s) + architecture(s) (32bit, 64bit, or both)
- Target OS version(s) + architecture(s) (32bit, 64bit, or both)
- Vulnerability type/class (e.g. use-after-free, race condition, etc)
- Attack scenario/vector (e.g. visit a web page, open a doc, etc)
- Success rate of the exploit (100% or less)
- Time of execution of the exploit (X seconds)
- Does the exploit include process continuation (no crash after exploitation)
- What kind of shellcode/payload is provided with the exploit (explain)
- Is the exploit working with default installations (yes/no)
- Is the exploit requiring any special setting or configuration (explain)
- Is the exploit requiring any authentication or credentials (explain)
- Is the exploit requiring any user interaction (explain)
- Is the exploit requiring any specific user privilege (explain)
- What is the obtained privilege after a successful exploitation (explain)
- Any additional information, limitations, or requirements
- Your nationality and country of residence (for payment purposes)
- Your public PGP key (if you have one).
[You can install and use PGP on Windows, Mac, and Linux]
Full Technical Details Required (after you receive & accept the pre-offer):
- Fully functional exploit in any programming language with a commented source code
- Technical analysis of all exploited bugs (analysis of the root cause(s), exploitation technique, and mitigations bypass)
- Step-by-step instructions and list of requirements to prepare, compile, and use the exploit
ZERODIUM reserves the right, at its sole discretion, to modify or cancel a pre-offer, and to acquire or to not acquire an exploit for any/no reason.
ZERODIUM evaluates and verifies all submitted research within one week or less. Payments are made in one or multiple installments by wire transfer or crypto-currencies such as Bitcoin or Monero. The first payment is sent within one week or less.
For inquiries and/or exploit submissions, please contact us.