Zerodium

Zerodium was an American information security company. The company was founded in 2015 with operations in Washington, D.C., and Europe. The company developed and acquired zero-day exploits from security researchers.

Zerodium

Founded	2015; 10 years ago (2015)
Defunct	2025 (2025)
Headquarters	Washington, D.C. , United States
Area served	Information security
Website	www.zerodium.com

History

Zerodium was launched on July 25, 2015 by the founders of Vupen. The company paid bounties for zero-day exploits. A zero-day exploit is a cybersecurity attack that targets security flaws in computer hardware, software or firmware in order to maliciously plant malware, steal data, or damage the program. Bug bounty programs, including Zerodium, pay bounties for knowledge of these security flaws.

Zerodium was the first company to release a full pricing chart for zero-days, ranging from $5,000 to $1,500,000 per exploit.^[1] The company was reported to have spent between $400,000 to $600,000 per month for vulnerability acquisitions in 2015.^[2]

In 2016, the company increased its permanent bug bounty for iOS exploits to $1,500,000.^[3]

In September 2019, Zerodium increased its bounty for Android exploits to $2,500,000, and for the first time the company paid more for Android exploits than iOS. Payouts for WhatsApp and iMessage had also been increased. The company is now reportedly spending between $1,000,000 to $3,000,000 each month for vulnerability acquisitions.^[4]

In May 2024, Intelligence Online^[5] posted an article titled "France, United States Iconic American vulnerability trader Zerodium to close its doors? " claiming that Zerodium had been absent for quite some time.

In January 2025, Zerodium disabled its website and replaced it with a single page containing their PGP key.^[5]

Criticism

Reporters Without Borders criticized Zerodium for selling information on exploits used to spy on journalists to foreign governments.^[6]

See also

• Market for zero-day exploits
• Bug bounty programs