At Zeronomicon we believe that “integrity without knowledge is weak and useless, and knowledge without integrity is dangerous and dreadful.” Therefore we have established a Code of Business Ethics, hold ourselves to its principles and standards, and go to great length to highly value and reward the integrity and the findings of contributing security researchers.
Everybody is eligible to participate, unless she/he is a citizen of, or resident in, a country sanctioned by the United Nations.
Please, visit our Contacts area and drop us a PGP encrypted message using the credentials described therein.
Please, visit the section of this website devoted to our Premium Exploit Acquisition Program for a description of the eligibility criteria
Yes, we are and we will be glad to discuss with security researchers the acquisition of their findings.
While a full chain of exploits is desirable, Zeronomicon is interested in acquiring also partial exploits — which is to say, exploits that take advantage of one or more vulnerabilities to achieve one or multiple security objectives, albeit insufficient to take the full control of the target system.
We ask interested security researchers to submit the following information over a PGP encrypted email:
The acquisition prices at Zeronomicon are fully aligned with market benchmarks and reflect the pricing factors described below.
Factors are related to both the demand for the given exploit and its technical attributes. When evaluating a submission, Zeronomicon will assess the following factors, in no particular order: reliability, type of vulnerability, affected products and versions, impact, side-effects, exploitation pre-conditions, required attack vectors, presence and robustness of bypassed mitigation mechanisms.
If the candidate exploit is eligible for acquisition, we ask the security researcher to describe the exploit capabilities. If interested, we will make our best offer based on the description provided to us. Should the researcher decides to proceed with the sale, we ask the seller to submit her/his findings with all the supporting information. When the seller submit her/his findings, our team revises and validates the exploit. If the exploit is found to not match our reliability requirements, or if the same does not work on the intended system, we give the security research the possibility, but not the obligation, to improve on the submission. If, at any time, the exploit is found to match our requirements and to work as described, Zeronomicon pays the seller using the payment methods detailed below.
Zeronomicon will pay the security researcher via a national or international bank wire transfer. To this end, it is essential that the bank account of the security researcher is not in a country sanctioned by the United Nations.
Zeronomicon customers are high-performance organizations, both in the government and industry sectors, who demand tailored cybersecurity capabilities, actionable vulnerability information, and risk mitigation strategies to reach confidence in today’s interconnected operational environment and mitigate the risks faced by their stakeholders.