Specifically, the company wants to acquire exploits that work against the Windows versions of the ExpressVPN, NordVPN and Surfshark applications. These VPN services have millions of users.

Zerodium is looking for remote code execution, IP address leak, and other information disclosure exploits. It does not want to acquire local privilege escalation vulnerabilities.

The company has not said how much it’s willing to pay for the zero-day exploits. SecurityWeek has reached out to the firm for more information, but we have yet to receive a response.