Exploit Acquisition Program

In 2019, our 10M USD bug bounty program was very well received by researchers, together with our unique “Vulnerability Research Hub” (VRH) online platform.

We also offered free high-level technical training sessions to hundreds of vulnerability researchers around the world as a part of our commitment to support the research Community.

This year, we are offering a larger 30M USD acquisition program, extending its scope to include other important research areas like Enterprise Software, WiFi/Baseband and Messengers.

Payouts for full-chains or previously unreported, exclusive capabilities, range from USD 10,000 to USD 9 million per successful submission. Partial chains will be evaluated on a case-by-case basis and priced proportionally.

Scope

Within this program, Crowdfense evaluates only fully functional, top-quality zero-day exploits affecting the following platforms and products.

Note: All the prices are considered up to the specified value, pending evaluation of the submitted capability.

High Demand Bug Bounties

Time sensitive bounties with bonus payouts

  • SPTM bypass for iOS v.17, and later

High demand

  • SMS/MMS Full Chain Zero Click: from 7 to 9 M USD
  • Android Zero Click Full Chain: 5 M USD
  • iOS Zero Click Full Chain: from 5 to 7 M USD
  • iOS (RCE + SBX): 3,5 M USD
  • Chrome (RCE + LPE): from 2 to 3 M USD
  • Chrome (SBX): 500k USD
  • Chrome (RCE w/o SBX): 500k USD
  • Safari (RCE + LPE): from 2,5 to 3,5 M USD
  • Safari (SBX): from 300 to 400k USD
  • Safari (RCE w/o SBX): 200k USD

High demand

  • WhatsApp Zero Click (RCE + LPE): from 3 to 5 M USD
  • Whatsapp (RCE + LPE): 1,5 M USD
  • iMessage Zero Click (RCE + LPE): from 3 to 5 M USD
  • iMessage (RCE + LPE): 1,5 M USD

Other apps (RCE+LPE): email, Signal, FaceTime, Instagram, Telegram, Facebook, Facebook Messenger, Session, Threema, Wire, WeChat

  • LPE to Kernel/Root: 800k USD
  • Persistence: 500k USD
  • Media File (RCE + LPE): 200k USD
  • Documents (RCE + LPE): USD 200k USD

OS

  • Microsoft Windows Zero Click (RCE + LPE): 2 M USD
  • Microsoft Windows (LPE/SBX): 150k USD
  • Linux (LPE): 100k USD
  • Apple Mac OS (LPE): 150k USD

Browsers

  • Chrome Zero Click Full Chain (RCE + SBX + LPE): 1,5 M USD
  • Safari Zero Click Full Chain (RCE + SBX + LPE): 500k USD
  • Edge Zero Click Full Chain (RCE + SBX + LPE): 400k USD
  • Firefox Zero Click Full Chain (RCE + SBX + LPE): 350k USD
  • Tor: 500k USD

Clients / Office / Files / Archives

  • Microsoft Outlook (RCE): 250k USD
  • Mozilla Thunderbird (RCE): 200k USD
  • Microsoft Word/Excel (RCE): 400k USD
  • Adobe Acrobat Reader (RCE + SBX): 200k USD
  • WinRAR (RCE): 100k USD
  • 7-zip (RCE): 80k USD
  • WinZip (RCE): 50k USD
  • tar (RCE): 50k USD

Other

  • Antivirus (RCE): 50k USD
  • Antivirus (LPE): 10k USD
  • Microsoft Hyper-V (VME): 1 M USD
  • VMWware ESXi (RCE): 1 M USD
  • VMWware Workstation (VME): 300k USD
  • Parallels Desktop (VME): 300k USD

Qualcomm, MediaTek, Samsung LSI, Intel, Unisoc (RCE): 500k USD

Web Servers

  • Apache HTTP Server (RCE): 500k USD
  • Microsoft IIS (RCE): 500k USD
  • Nginx (RCE): 300k USD
  • Red Hat Jboss (RCE): 50k USD
  • Apache Tomcat (RCE): 50k USD

Email Servers

  • Microsoft Exchange (RCE): 250k USD
  • Sendmail (RCE): 200k USD
  • Postfix (RCE): 200k USD
  • Exim (RCE): 200k USD
  • Dovecot (RCE): 200k USD
  • Other products (RCE): Mdeamon, Icewarp, GFI KerioConnect

IPMI

  • Sun SSP (RCE): 100k USD
  • Dell DRAC (RCE): 100k USD
  • HP iLO (RCE): 100k USD
  • Supermicro IPMI (RCE): 100k USD
  • Cisco CIMC (RCE): 100k USD
  • VNC, TeamViewer, Radmin (RCE): 100k USD
  • Other products (RCE): 50k USD

EMS

  • Microsoft SharePoint (RCE): 250k USD
  • IBM FileNet (RCE): 100k USD
  • Oracle WebCenter (RCE): 100k USD
  • IBM Lotus Domino (RCE): 50k USD

PLM and EPR

  • SAP (RCE): 250k USD
  • Siemens Teamcenter (RCE): 250k USD
  • Oracle ERP (RCE): 200k USD
  • Oracle Agile PML (RCE): 200k USD
  • SPTC Windchill PLM (RCE): 200k USD
  • MentorGraphics HyperLynx SI PLM (RCE): 100k USD
  • Enovia PLM (RCE): 50k USD

Databases

  • MS SQL Server (RCE): 150k USD
  • Oracle Database (RCE): 150k USD
  • MangoDB (RCE): 30k USD
  • MySQL (RCE): 30k USD

FTP

  • Filezilla (RCE): 50k USD
  • Titan (RCE): 30k USD
  • Serv-U (RCE): 20k USD
  • net2ftp (RCE): 10k USD
  • ProFTPD (RCE): 20k USD
  • vsFTPD (RCE): 20k USD

Other Products

  • OpenSSL (RCE): 250k USD
  • PHP (RCE): 250k USD
  • Other products (RCE): GitLab, Jenkins, Ivanti Connect Secure, phpMyAdmin, Atlassian JIRA, Zyxell Network VPN Firewall, Nagios, PRTG, Cacti, SolarWinds Orion, Git Server, GitHub, GitLab enterprise, Zabbix, Bitbucket, Watchguard

Web Apps / Web Hosting Control Panels

  • cPanel / WHM (RCE): 100k USD
  • Plesk (RCE): 100k USD
  • Webmin (RCE): 100k USD
  • Roundcube (RCE): 50k USD
  • Horde (RCE): 50k USD
  • CentOS Web Panel (RCE): 100k USD
  • Ajenti (RCE): 50k USD
  • ISPConfig (RCE): 50k USD
  • WHMCS (RCE): 50k USD
  • Vesta CP (RCE): 50k USD
  • DirectAdmin (RCE): 50k USD
  • Confluence (RCE): 50k USD
  • Squirellmail (RCE): 50k USD
  • Other mail servers (RCE): 25k USD

CMS

  • WordPress (RCE): 500k USD
  • phpBB (RCE): 50k USD
  • vBulletin (RCE): 75k USD
  • MyBB (RCE): 50k USD
  • Joomla (RCE): 40k USD
  • Drupal (RCE): 25k USD
  • Invision Power Board (RCE): 75k USD

Research & Techniques

  • WiFi (RCE): 500k USD
  • Code Signing Bypass: 100k USD
  • RCE via MitM: 100 000
  • Information Disclosure/Leak: 100k USD
  • (k)ASLR Bypass: 100k USD
  • PIN/Passcode/Touch ID Bypass: 100k USD
  • USB (LPE): 50k USD
  • CCTV (RCE): 30k USD
    • Hikvision DVR (RCE): 50k USD
  • Printers (RCE): 25k USD
  • NAS (Synology, QNAP) (RCE): 60k USD

Routers & Firewalls

  • Cisco (RCE): 100k USD
  • Mikrotik (RCE): 100k USD
  • D-Link (RCE): 50k USD
  • TP-Link (RCE): 50k USD
  • Netgear (RCE): 50k USD
  • Ubiquiti (RCE): 50k USD
  • FortiNet (RCE): 100k USD
  • Citrix (RCE): 100k USD
  • Sonicwall (RCE): 100k USD
  • Huawei (RCE): 100k USD
  • Sophos (RCE): 100k USD
  • Juniper (RCE): 75k USD
  • HP (RCE): 50k USD

Other devices (RCE): KerioControl, Pfsense Firewall, F5 Big-IP, Grafana, LANcom, Linksys, Fritz!Box, Ubiquiti AirCube, TP-Link, OpenWRT, DD-WRT, MikroTik 7

  • FC: Full-Chain (usually RCE + SBX + LPE)
  • 0C: Zero Click, no user interaction
  • 1C: One Click, minimal user interaction (e.g. clicking a link, visiting a website, opening a file)
  • P-RCE: Pre-Authenticated Remote Code Execution
  • RCE: Remote Code Execution
  • LPE/PE/EoP: Local Privilege Escalation/Privilege Escalation/Elevation of Privilege
  • SBX: Sandbox Escape
  • VME: Virtual Machine Escape

Please be aware that from time to time, we will also propose high-priority bounties, with extra bonuses and private bounties to selected researchers through our Vulnerability Research Hub: be sure not to miss them!

Submit your Research

If you have what it takes, join our Vulnerability Research Hub, report your vulnerability and reclaim the highest payouts ever!


Submission Process

01

The researcher enrols in the Vulnerability Research Hub (VRH).
02

Preliminary Contact

The researcher submits minimal specifications and video proofs of the capability.

03

Preliminary Offer

Crowdfense reviews the details of the exploit and gives a preliminary evaluation.

04

POC Submission

The researchers submit the proof of concept to Crowdfense.

05

POC Evaluation

Crowdfense reviews the POC and tests the exploit, then sends the final offer.

06

Payment

  • The researcher accepts the final offer and agrees on a formal contract.
  • The researcher supplies the exploit source code and documentation, and Crowdfense releases the agreed amount.


Submit your Research

If you have what it takes, join our Vulnerability Research Hub, report your vulnerability and reclaim the highest payouts ever!