We
are Zeroday

We are ready to purchase information about unique
0day (zero-day vulnerabilities and exploits

Submission rules

We constantly acquire 0-day vulnerabilities and exploits. We do not pay rewards for hypothetical or 1-day vulnerabilities. Please provide a brief technical description of the vulnerability and any exploits including the date of research, affected systems, testing results, exploit type, potential attack vector, bug type, specifics of the exploits, security bypass, user interaction or involvement, side effects, your price, etc. Please ensure that you use PGP encryption when communicating with us. (Our PGP key is provided below.) We will analyze and evaluate within 48 hours the vulnerability description you provide. Your reward payment can be paid in cash, bank transfer or anonymous transfers using cryptocurrencies. We will consider an additional premium in the form of quarterly payments to those researchers who agree to provide us with exclusive disclosure of a vulnerability. Realizing that the price of a potentially serious vulnerability may be higher, we are ready to negotiate the price bilaterally.

Agents and brokers are welcome. We will pay you generous commissions for helping us acquire zero-day vulnerabilities.

We reserve the right to refuse to purchase your materials.

Order of research
result submission and award payment

  • 1

    You discover a zero-day vulnerability and create a functional prototype, to validate the exploitability of the vulnerability.

  • 2

    You write a brief technical description of the vulnerability found and send us a PGP encrypted key.

  • 3

    Within 48 hours, our research team will send you a purchase order.

  • 4

    If the order is accepted, you will provide us with full technical information on the vulnerability including a functional prototype.

  • 5

    We will verify the functionality and pay you a reward within 24 hours, using the payment method chosen by you.

If you have any counter proposals regarding the acquisition process, you can always contact us. You can arrange a personal meeting at various conferences we attend to discuss business and technical issues in person.

About us

The market for vulnerabilities is growing rapidly and has migrated from the darknet to the corporate environment. ZERODAY supports the development of monitoring tools for law enforcement agencies and intelligence organizations, as well as the design of intrusion detection and prevention systems for vulnerabilities.

ZERODAY also conducts in-house research on vulnerabilities for a variety of systems. Researchers can contact us for our list of most wanted research directions.

ZERODAY assists security researchers in their work on vulnerabilities and provides the highest value for the results of their research. We pay the highest rewards in the market and have built a long-term relationship with many security researchers.

ZERODAY acquires a range of service vulnerabilities, from micro-controllers, SCADA, network equipment, various consumer devices, to mobile, desktop and server applications. If you have zero-day vulnerabilities for a platform or application that is not listed in the payment table below, please contact us.

Career

ZERODAY highly appreciates the talents and technical competence of researchers. We invite you to join our internal teams conducting the most advanced research and offer excellent opportunities for experienced researchers.

We offer a competitive salary and high bonus payments for each exploitable and accepted vulnerability. You can work remotely or join one of our research centers.

For clients

We provide an annual subscription to the results of our studies and 0-day listings on a limited number of organizations.

You can send a request for a subscription to:

zeroday@zeroday.do
PGP fingerprint: 39E7 6FB4 4E01 C7DD 05AF 6634 774C CCDD 5B01 86F4

Payment table

Integrated Circuits

  • Microcontrollers 30k+ $
  • Cellular SoC (MTK, Qualcomm)50k+ $
  • CPLD/FPGA 50k+ $
  • Smart Cards 100k+ $

SCADA PLC

  • Other 5k+ $
  • Schneider 10k+ $
  • ABB 10k+ $
  • Omron 10k+ $
  • Mitsubishi 15k+ $
  • Honeywell 20k+ $
  • Siemens 30k+ $

Network Devices

  • Other 1k+ $
  • D-Link 3k+ $
  • Netgear 3k+ $
  • ZyXEL 3k+ $
  • Asus 3k+ $
  • Huawei 3k+ $
  • HP 5-10k $
  • Juniper 10-50k+ $
  • Cisco 10-50k+ $
  • Mikrotik 10-50k+ $
  • Sonicwall 10-50k+ $
  • F5 10-50k+ $
  • SIP Avaya, Asterisk, Polycom and others10-50k+ $
  • Riverbed10-50k+ $

ATM

  • Other 5k+ $
  • Diebold 5k+ $
  • NCR 10k+ $
  • Wincor 10k+ $

IPMI

  • Other 20k+ $
  • VNC, Teamviewer, Radmin 50k+ $
  • Cisco CIMC 50k+ $
  • Dell DRAC 100k+ $
  • HP iLO 100k+ $
  • Sun SSP 100k+ $
  • Supermicro IPMI100k+ $

Mobile Devices

  • WatchOS (LCE,RJB) 100k+ $
  • Windows Phone (RJB) 500k+ $
  • Android Latest (RJB) 1M+ $
  • Apple IOS Latest (LCE,RJB) 2M+ $

Smart TV

  • Home Appliance 2k+ $
  • LG 1-10k $
  • Panasonic 5-20k $
  • Sony 5-20k $
  • Samsung 5-20k $

Gaming Consoles

  • Xbox ONE/ONE S (LCE) 75k+ $
  • Playstation 4/4 Pro (LCE)75k+ $
  • Nintendo (LCE)50k+ $

Peripheral Devices

  • Scanners (RCE)1-10k $
  • Printers (RCE)1-20k $
  • CCTV (RCE)2k+ $

Operating Systems

  • Linux Desktop/Server (LPE) 40k+ $
  • MacOS Mojave 10.14 (LPE, SE) 50k+ $
  • Windows 7/8.1/10 (LPE, SE) 60k+ $
  • Virtual Machine Escape 60k+ $
  • Windows Server 2008/12/16 (RCE, SE) 100k+ $

Database Software

  • MS Access (RCE) 30k+ $
  • MongoDB (RCE, LPE)30k+ $
  • Oracale Database (RCE)50k+ $
  • MySQL Server (RCE)50k+ $
  • Postgresql Server (RCE)50k+ $
  • MS SQL Server (RCE)50k+ $

Productivity Apps

  • Antivirus (RCE, LPE) 50k $
  • Adobe PDF Reader all (RCE, SE) 65k+ $
  • MS Office Word, Excel, PP (RCE, SE) 65k+ $
  • Adobe Flash Player (RCE, SE) 65-100k $

Messengers

  • Viber 30k+ $
  • WeChat 30k+ $
  • Line 30k+ $
  • Telegramm 30-100k+ $
  • WhatsApp 30-100k+ $

Web Servers

  • Apache Tomcat (RCE)50k+ $
  • JBoss (RCE)50k+ $
  • Lotus Domino (RCE)50k+ $
  • Apache Web Server (RCE)100k+ $
  • Nginx (RCE)100k+ $
  • Microsoft IIS (RCE)100k+ $

Web Browsers

  • Apple Safari OS X/iOS (RCE) 35k+ $
  • Google Chrome all OS (RCE) 35k+ $
  • Mozilla Firefox (RCE, SE) 50k+ $
  • MS Edge/IE 11 (RCE, SE) 55k+ $
  • Apple Safari OS X/iOS (RCE, SE) 85k+ $
  • Google Chrome all OS (RCE, SE) 85k+ $
  • TOR Browser (RCE, SE) 35-100k $

EMC

  • OpenText Content Suite Platform30k+ $
  • Oracle WebCenter50k+ $
  • IBM Fil­eNet50k+ $
  • Microsoft SharePoint150k+ $

Bugtrackers

  • Atlassian Confluence15k+ $
  • Jenkins15k+ $
  • Bugzilla15k+ $
  • Atlassian JIRA30k+ $
  • Redmine30k+ $

FTP

  • net2ftp (RCE)20k $
  • Serv-U (RCE)20k $
  • Tit­an (RCE)20k $
  • Filezilla (RCE)30k+ $

CMS

  • Drupal (RCE)17k+ $
  • Wix (RCE)17k+ $
  • 1C Bitrix (RCE)17k+ $
  • Joomla (RCE)30k+ $
  • Wordpress (RCE)50k+ $

PLM and EPR

  • Enovia PLM30k+ $
  • MentorGraph­ics HyperLynx SI PLM50k+ $
  • SPTC Windchill PLM 50k+ $
  • Oracle Agile PLM100k+ $
  • Siemens Teamcenter100k+ $
  • SAP100k+ $
  • Oracle ERP100k+ $

Forums

  • Woltlab BB (RCE)10k+ $
  • XenForo10k+ $
  • IP.Suite (RCE)14k+ $
  • PHPbb (RCE)17k+ $
  • Mybb (RCE)17k+ $
  • Lithium communities (RCE)30k+ $
  • VBulletin (RCE)30k+ $
  • IP.Board (RCE)30k+ $

Mail Servers

  • Other mail servers (RCE)5k+ $
  • Squirellmail (RCE)10k+ $
  • Roundcube (RCE)10k+ $
  • Horde (RCE)10k+ $
  • IBM Lotus Domino (RCE)30k+ $
  • Sendmail (RCE)30k+ $
  • Microsoft Outlook OWA (RCE)100k+ $

Hosting Panels

  • Other (RCE)15k+ $
  • Direct Admin (RCE)15k+ $
  • Plesk (RCE)30k+ $
  • cPanel (RCE)30k+ $

Ecommerce

  • Magento (RCE)30k+ $
  • PrestaShop (RCE)30k+ $
  • osCommerce (RCE)30k+ $
  • WooCommerce (RCE)50k+ $
  • Shopify (RCE)50k+ $
  • LPE - Local Privilege Escalation
  • RCE - Remote Code Execution
  • SE - Sandbox Escape
  • RJB - Remote Jailbreak
  • LCE - Local Code Execution (physical access to device)
  • 100$ - 10.000$
  • 10.001$ - 30.000$
  • 30.001$ - 60.000$
  • 60.001$ - 100.000$
  • 100.001$ - 2.000.000$

In addition to vulnerabilities, we are interested in acquiring various research results, such as:

- Deanonimization of TOR resources;
- Bypassing ASLR, DEP, UAC and other security mechanisms;
- Vectors for remote code execution on devices via GSM, Bluetooth and WiFi;
- Vulnerabilities in mobile devices chipsets;
- Innovative bypass of antiviruses;
- Other research results and technical information.

Our main goal is productive cooperation with the community of researchers on information security, allowing us to identify new threat vectors and open new research opportunities.
Follow us on Twitter to be informed about industry events where we will participate.

Events

Black Hat Europe 2020

www.blackhat.com

09 - 12.11.2020
London, UK

37C3

www.ccc.de/en

27 – 30.12.2020
Leipzig, Germany

ShmooCon 2020

www.shmoocon.org

31.01 - 02.02.2020
Maryland, US

Black Hat Asia 2020

www.blackhat.com

31.03 - 03.04.2020
Singapore

CanSecWest 2020

www.cansecwest.com

18 - 20.03.2020
Vancouver, CA

HITBSECCONF 2020 UAE

www.hitb.org

17 - 22.10.2020
Abu Dhabi, UAE

HITBSECCONF 2020 NL

www.hitb.org

20 - 24.04.2020
NH Grand Krasnapolsky, Amsterdam

HITBSECCONF 2020 SG

www.hitb.org

20 - 24.07.2020
Singapore

INFILTRATE

www.infiltratecon.com

19 - 24.04.2020
Miami Beach

BlueHat 2020

www.recon.cx

05 - 06.02.2020
Tel Aviv, Israel

Black Hat USA 2020

www.blackhat.com

01 - 06.08.2020
Las Vegas, US

DEFCON 28

www.defcon.org

06 - 09.08.2020
Las Vegas, US

DEFCON 28

www.defcon.org

17 - 19.04.2020
Beijing, China

Contacts

For cooperation and submission of vulnerabilities, please email: