Unlike the majority of existing bug bounty programs that accept almost any kind of vulnerabilities and PoCs but pay very low rewards, Zerodium mainly focuses on very high-risk vulnerabilities and with fully functional exploits.
Currently acquiring 0day exploits (privilege escalation or RCE) for the following operating systems: OpenBSD, FreeBSD, NetBSD, Ubuntu, CentOS, Debian, and Tails.
We’re currently acquiring #0day exploits (privilege escalation or RCE) for the following operating systems: OpenBSD, FreeBSD, NetBSD, Ubuntu, CentOS, Debian, and Tails. For related inquiries or submissions, contact us: https://t.co/8NeubPvSdj
— Zerodium (@Zerodium) June 27, 2018
Zerodium Pays very high amount especially for mobiles upto $1,500,000 and it starts from $15,000 which indicate that Zerodium pays more for mobile-based critical zero-day vulnerability than desktop and server-based vulnerabilities.
According to zerodium, The payout ranges listed below are provided for information only and are intended for fully functional/reliable exploits meeting ZERODIUM’s highest requirements. ZERODIUM may pay higher rewards for exceptional exploits or research.
Zerodium Payouts for Desktop /Servers
Zerodium Payouts for Mobiles
Eligible Products and Brands
Zerodium acquires original and previously unreported zero-day from many of the following products.
- Operating Systems – Windows 10 / 8.1, macOS 10.x, CentOS, Ubuntu, Tails)
- Web Browsers – Chrome, Edge, Firefox , Tor, Safari.
- Clients / Readers – Office, Outlook, Thunderbird, Adobe, Foxit.
- Mobiles / Smartphones – Apple, Android, BlackBerry, Windows
- Web Servers & Related – Apache, IIS, nginx, OpenSSL
- Email Servers & Related– MS Exchange, Dovecot, Postfix, Sendmail
- Web Applications – WordPress, Joomla, Drupal, phpBB Roundcube, Horde.
- Research / Techniques – Mitigations Bypass, AntiVirus RCE/LPE, Routers Pre-Auth RCE
Mainly Zerodium pays for Remote code execution, local privilege escalation, sandbox bypass, any other exploit types.
Eligible brands are Apple, Google, Samsung, LG, Huawei, Sony, HTC, Xiaomi, Acer, Asus, Vivo, Motorola, Lenovo, OPPO, BlackBerry, Vertu, ZTE, BBK, and Gionee.
Bug submission process is quite easy and simple steps to submit the researchers discovered vulnerabilities for above products.
ZERODIUM evaluates and verifies all submitted research within one week or less. Payments are made in one or multiple installments by wire transfer or using crypto-currencies e.g. Bitcoin. The first payment is sent within one week or less ZERODIUM said.