The research must rely on exclusive, unknown, unpublished, and unreported zero-days, and must bypass all exploit mitigations applicable to each target category.

The initial attack vector must be a web page targeting the latest versions of Tor Browser (Stable + Experimental) in either a non-default/hardened configuration where JavaScript is blocked for all websites (Tor Browser Security Settings set to: High), or in its default configuration (Tor Browser Security Settings set to: Low (default)).

The exploit must be fully functional, reliable, and leading to remote code execution on the targeted OS either with privileges of the current user or with unrestricted root/SYSTEM privileges.

The whole exploitation process should be achieved silently, without triggering any message or popup, and without requiring any user interaction except visiting a web page. Other attack vectors such as opening a document are not eligible for this bounty but ZERODIUM may, at its sole discretion, make a distinct offer to acquire such exploits.

Exploits not fully meeting the requirements will not be eligible for the bounty but ZERODIUM may, at its sole discretion, make a distinct offer to acquire such exploits.

All submissions must be made exclusively to ZERODIUM and must include the full exploit with a detailed whitepaper describing all utilized vulnerabilities and techniques.