We work hard to make the participating in the ZDI program easy and rewarding for researchers.
Plus, the program only gets more rewarding as your contributions increase.
The amount we offer to a researcher for a particular vulnerability depends on the following criteria:
Is the affected product widely deployed?
Can exploiting the flaw lead to a server or client compromise? At what privilege level?
Is the flaw exposed in default configurations/installations?
Are the affected products high value (e.g. databases, e-commerce servers, DNS, routers, firewalls)?
Does the attacker need to social engineer his victim? (e.g. clicking a link, visiting a site, connecting to a server, etc.)
To determine the worth of a vulnerability, researchers should sign up for an account and submit it for a valuation. If an offer is not made or an offer is made but not accepted by the researcher, the vulnerability information will remain the property of the researcher and will not be used in the Zero Day Initiative (ZDI) program. We reserve the right to not make an offer to acquire a vulnerability for any or no reason.
The success of the ZDI program depends on developing a mutual trust and loyalty over time with participating
security researchers. To reward repeated patronage of the ZDI, we developed the following incentive programs.
ZDI Referral Program
For each new researcher that is referred to the ZDI, the referrer is given 2,500 ZDI Rewards points (see below) after that referral's first vulnerability is acquired under the ZDI.
ZDI Rewards Program
As a member of the ZDI program, you earn points each time a vulnerability submission is purchased. Points are treated in a manner similar to airline frequent flyer miles - points accrue each year on a dollar-for-dollar basis based on the total amount paid for vulnerability submissions by the researcher during that calendar year. For instance, if the Zero Day Initiative buys your vulnerability for $5,000, then you receive 5,000 points for that submission. For all of this calendar year, if you receive 47,000 points, then for the next calendar year you will be considered to have ZDI Gold status. To maximize your submission, review the information provided by this blog. It offers helpful tips to ensure you get the most from your submission.
Each level offers exclusive awards and benefits, each of which last for the one calendar year period following the year in which the points were earned:
A researcher identifies a previously unpatched vulnerability.
The vulnerability is submitted through our secure portal and a case ID is created.
We verify the submission and e-mail an offer to the researcher.
The researcher accepts the offer, and is paid promptly by check or wire transfer.
We notify the affected vendor before sharing the research with other vendors and the public.
As an added perk for researchers, ZDI offers a Researcher Rewards Program which can substantially increase rewards and bonuses for researchers who are especially productive within the program. As a member of the program, you receive one point for every dollar you are paid for your submitted vulnerabilities.REGISTER NOW