Zerodium is a vulnerability brokerage founded in 2015 by Chaouki Bekrar, the same entrepreneur behind the French security firm Vupen. Headquartered in Washington, D.C., the company pays independent researchers for previously unknown software flaws — known as zero-days — along with the working exploit code needed to weaponize them. It then packages this intelligence and sells it on an exclusive basis to a small set of vetted institutional customers, which Zerodium publicly describes as government organizations needing capabilities for lawful intercept, intelligence, and counterterrorism operations.
The firm is best known for publishing a transparent price list, an unusual practice in a traditionally opaque market. Payouts have ranged from a few thousand dollars for browser bugs to multi-million-dollar bounties for full remote chains. In September 2019, Zerodium announced it would pay up to US$2.5 million for a zero-click Android exploit, surpassing its iOS bounty for the first time and signaling a shift in the relative hardness of mobile platforms. In May 2020, the company publicly suspended new submissions for iOS exploits, citing a glut of supply.
Zerodium occupies a contested space in cybersecurity policy debates. Defenders argue it provides a legal, Western-aligned alternative to grey-market sales and supports legitimate intelligence work. Critics — including researchers at Citizen Lab and within the Vulnerability Equities Process (VEP) debate in the United States — argue that stockpiling unpatched flaws leaves civilian infrastructure exposed and that the offensive-tools industry, including better-known vendors like NSO Group and Intellexa, has enabled abuses against journalists and dissidents. Zerodium itself has not been publicly linked to specific surveillance abuses, but its business model is central to discussions over export controls under the Wassenaar Arrangement and the EU dual-use regulation (Regulation 2021/821).
Example
In September 2019, Zerodium announced a US$2.5 million bounty for a full-chain, zero-click Android exploit, exceeding its top iOS payout for the first time.
Frequently asked questions
Zerodium was founded in 2015 by Chaouki Bekrar, who previously co-founded the French exploit firm Vupen.
Keep learning