lorem ipsum dolor sit

Frequently Asked Questions

Home FAQ


  • What makes Zeronomicon different from other acquisition programs?

    At Zeronomicon we believe that “integrity without knowledge is weak and useless, and knowledge without integrity is dangerous and dreadful.” Therefore we have established a Code of Business Ethics, hold ourselves to its principles and standards, and go to great length to highly value and reward the integrity and the findings of contributing security researchers.

  • Who is eligible to participate?

    Everybody is eligible to participate, unless she/he is a citizen of, or resident in, a country sanctioned by the United Nations.

  • I wrote an exploit: what should I do?

    Please, visit our Contacts area and drop us a PGP encrypted message using the credentials described therein.

  • Will Zeronomicon acquire my exploit?
  • Is Zeronomicon interested in new exploitation techniques?

    Yes, we are and we will be glad to discuss with security researchers the acquisition of their findings.

  • Do I need a full chain of exploits to close a deal with Zeronomicon?

    While a full chain of exploits is desirable, Zeronomicon is interested in acquiring also partial exploits — which is to say, exploits that take advantage of one or more vulnerabilities to achieve one or multiple security objectives, albeit insufficient to take the full control of the target system.

  • How my submission should look like?

    We ask interested security researchers to submit the following information over a PGP encrypted email:

    • Exploit and any source code;
    • Description of the vulnerability, the analysis of its exploitability and techniques of exploitation;
    • Attack vectors;
    • Configuration required, if different from the default configuration;
    • Any additional information that may help Zeronomicon in evaluating your submission.

  • How much Zeronomicon will pay for my exploit?

    The acquisition prices at Zeronomicon are fully aligned with market benchmarks and reflect the pricing factors described below.

  • What factors drive up the payout for an exploit?

    Factors are related to both the demand for the given exploit and its technical attributes. When evaluating a submission, Zeronomicon will assess the following factors, in no particular order: reliability, type of vulnerability, affected products and versions, impact, side-effects, exploitation pre-conditions, required attack vectors, presence and robustness of bypassed mitigation mechanisms.

  • How the evaluation takes place?

    If the candidate exploit is eligible for acquisition, we ask the security researcher to describe the exploit capabilities. If interested, we will make our best offer based on the description provided to us. Should the researcher decides to proceed with the sale, we ask the seller to submit her/his findings with all the supporting information. When the seller submit her/his findings, our team revises and validates the exploit. If the exploit is found to not match our reliability requirements, or if the same does not work on the intended system, we give the security research the possibility, but not the obligation, to improve on the submission. If, at any time, the exploit is found to match our requirements and to work as described, Zeronomicon pays the seller using the payment methods detailed below.

  • What payment methods will be used?

    Zeronomicon will pay the security researcher via a national or international bank wire transfer. To this end, it is essential that the bank account of the security researcher is not in a country sanctioned by the United Nations.

  • Who are the Zeronomi’s customers?

    Zeronomicon customers are high-performance organizations, both in the government and industry sectors, who demand tailored cybersecurity capabilities, actionable vulnerability information, and risk mitigation strategies to reach confidence in today’s interconnected operational environment and mitigate the risks faced by their stakeholders.