CONFERENCE On Demand: Cyber AI & Automation Summit - Watch Now
Connect with us

Hi, what are you looking for?


Cloud Security

Zerodium Offers $500,000 for VMware ESXi, Microsoft Hyper-V Exploits

Exploit acquisition firm Zerodium this week announced that it’s prepared to pay up to $500,000 for VMware ESXi and Microsoft Hyper-V vulnerabilities.

Exploit acquisition firm Zerodium this week announced that it’s prepared to pay up to $500,000 for VMware ESXi and Microsoft Hyper-V vulnerabilities.

The company says it’s looking for ESXi (vSphere) and Hyper-V exploits that allow guest-to-host escapes. The exploits need to work on default configurations, they must be reliable, and they have to allow the attacker to gain full access to the host.

Zerodium looking for Hyper-V and ESXi exploits

Until now, Zerodium has been offering up to $200,000 for ESXi virtual machine escapes — the payout was increased earlier this year from $100,000.

“We are increasing the payouts for VMWare ESXi exploits to attract and encourage more researchers into auditing the security of this hypervisor as we firmly believe that there are many critical vulnerabilities affecting it and our government customers are in need of such exploits,” Chaouki Bekrar, founder and CEO of Zerodium, told SecurityWeek.

Microsoft Hyper-V was not part of the company’s bug bounty program until now.

“Hyper-V was not part of our bounty program as there was low to no interest in this product from our customers,” Bekrar explained. “However, we’ve recently observed a significant increase in demand for Hyper-V exploits and we have decided to add it to our program.”

It’s worth noting that Microsoft offers up to $250,000 for Hyper-V vulnerabilities through its bug bounty program.

Bekrar says Zerodium will offer up to $500,000 for Hyper-V and ESXi zero-day exploits for a couple of months and then it will decide if the payouts will be reduced or kept at this level depending on the number of submissions received from researchers.

Advertisement. Scroll to continue reading.

Zerodium offers up to $2 million for high-quality exploits. The company says the information it acquires is provided to customers, which it claims are mainly government organizations “in need of specific and tailored cybersecurity capabilities and/or protective solutions to defend against zero-day attacks.”

Earlier this year, Zerodium announced that it’s prepared to pay up to $2 million for remote iOS jailbreaks and $1 million for vulnerabilities in popular chat applications, including WhatsApp, iMessage and SMS/MMS apps.

Related: Zerodium Discloses Flaw That Allows Code Execution in Tor Browser

Related: Zerodium Offers $45,000 for Linux 0-Days

Related: Zerodium Offers $500,000 For Messaging, Email App Exploits

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join us as we delve into the transformative potential of AI, predictive ChatGPT-like tools and automation to detect and defend against cyberattacks.


As cybersecurity breaches and incidents escalate, the cyber insurance ecosystem is undergoing rapid and transformational change.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

CISO Conversations

Joanna Burkey, CISO at HP, and Kevin Cross, CISO at Dell, discuss how the role of a CISO is different for a multinational corporation...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

CISO Conversations

In this issue of CISO Conversations we talk to two CISOs about solving the CISO/CIO conflict by combining the roles under one person.

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...