In 2019, our 10M USD bug bounty program was very well received by researchers, together with our unique “Vulnerability Research Hub” (VRH) online platform.
We also offered free high-level technical training sessions to hundreds of vulnerability researchers around the world as a part of our commitment to support the research Community.
This year, we are offering a larger 30M USD acquisition program, extending its scope to include other important research areas like Enterprise Software, WiFi/Baseband and Messengers.
Payouts for full-chains or previously unreported, exclusive capabilities, range from USD 10,000 to USD 9 million per successful submission. Partial chains will be evaluated on a case-by-case basis and priced proportionally.
Scope
Within this program, Crowdfense evaluates only fully functional, top-quality zero-day exploits affecting the following platforms and products.
Note: All the prices are considered up to the specified value, pending evaluation of the submitted capability.
- SMS/MMS Full Chain Zero Click: from 7 to 9 M USD
- Android Zero Click Full Chain: 5 M USD
- iOS Zero Click Full Chain: from 5 to 7 M USD
- iOS (RCE + SBX): 3,5 M USD
- Chrome (RCE + LPE): from 2 to 3 M USD
- Chrome (SBX): 500k USD
- Chrome (RCE w/o SBX): 500k USD
- Safari (RCE + LPE): from 2,5 to 3,5 M USD
- Safari (SBX): from 300 to 400k USD
- Safari (RCE w/o SBX): 200k USD
- WhatsApp Zero Click (RCE + LPE): from 3 to 5 M USD
- Whatsapp (RCE + LPE): 1,5 M USD
- iMessage Zero Click (RCE + LPE): from 3 to 5 M USD
- iMessage (RCE + LPE): 1,5 M USD
Other apps (RCE+LPE): email, Signal, FaceTime, Instagram, Telegram, Facebook, Facebook Messenger, Session, Threema, Wire, WeChat
- LPE to Kernel/Root: 800k USD
- Persistence: 500k USD
- Media File (RCE + LPE): 200k USD
- Documents (RCE + LPE): USD 200k USD
OS
- Microsoft Windows Zero Click (RCE + LPE): 2 M USD
- Microsoft Windows (LPE/SBX): 150k USD
- Linux (LPE): 100k USD
- Apple Mac OS (LPE): 150k USD
Browsers
- Chrome Zero Click Full Chain (RCE + SBX + LPE): 1,5 M USD
- Safari Zero Click Full Chain (RCE + SBX + LPE): 500k USD
- Edge Zero Click Full Chain (RCE + SBX + LPE): 400k USD
- Firefox Zero Click Full Chain (RCE + SBX + LPE): 350k USD
- Tor: 500k USD
Clients / Office / Files / Archives
- Microsoft Outlook (RCE): 250k USD
- Mozilla Thunderbird (RCE): 200k USD
- Microsoft Word/Excel (RCE): 400k USD
- Adobe Acrobat Reader (RCE + SBX): 200k USD
- WinRAR (RCE): 100k USD
- 7-zip (RCE): 80k USD
- WinZip (RCE): 50k USD
- tar (RCE): 50k USD
Other
- Antivirus (RCE): 50k USD
- Antivirus (LPE): 10k USD
- Microsoft Hyper-V (VME): 1 M USD
- VMWware ESXi (RCE): 1 M USD
- VMWware Workstation (VME): 300k USD
- Parallels Desktop (VME): 300k USD
Qualcomm, MediaTek, Samsung LSI, Intel, Unisoc (RCE): 500k USD
Web Servers
- Apache HTTP Server (RCE): 500k USD
- Microsoft IIS (RCE): 500k USD
- Nginx (RCE): 300k USD
- Red Hat Jboss (RCE): 50k USD
- Apache Tomcat (RCE): 50k USD
Email Servers
- Microsoft Exchange (RCE): 250k USD
- Sendmail (RCE): 200k USD
- Postfix (RCE): 200k USD
- Exim (RCE): 200k USD
- Dovecot (RCE): 200k USD
- Other products (RCE): Mdeamon, Icewarp, GFI KerioConnect
IPMI
- Sun SSP (RCE): 100k USD
- Dell DRAC (RCE): 100k USD
- HP iLO (RCE): 100k USD
- Supermicro IPMI (RCE): 100k USD
- Cisco CIMC (RCE): 100k USD
- VNC, TeamViewer, Radmin (RCE): 100k USD
- Other products (RCE): 50k USD
EMS
- Microsoft SharePoint (RCE): 250k USD
- IBM FileNet (RCE): 100k USD
- Oracle WebCenter (RCE): 100k USD
- IBM Lotus Domino (RCE): 50k USD
PLM and EPR
- SAP (RCE): 250k USD
- Siemens Teamcenter (RCE): 250k USD
- Oracle ERP (RCE): 200k USD
- Oracle Agile PML (RCE): 200k USD
- SPTC Windchill PLM (RCE): 200k USD
- MentorGraphics HyperLynx SI PLM (RCE): 100k USD
- Enovia PLM (RCE): 50k USD
Databases
- MS SQL Server (RCE): 150k USD
- Oracle Database (RCE): 150k USD
- MangoDB (RCE): 30k USD
- MySQL (RCE): 30k USD
FTP
- Filezilla (RCE): 50k USD
- Titan (RCE): 30k USD
- Serv-U (RCE): 20k USD
- net2ftp (RCE): 10k USD
- ProFTPD (RCE): 20k USD
- vsFTPD (RCE): 20k USD
Other Products
- OpenSSL (RCE): 250k USD
- PHP (RCE): 250k USD
- Other products (RCE): GitLab, Jenkins, Ivanti Connect Secure, phpMyAdmin, Atlassian JIRA, Zyxell Network VPN Firewall, Nagios, PRTG, Cacti, SolarWinds Orion, Git Server, GitHub, GitLab enterprise, Zabbix, Bitbucket, Watchguard
Web Apps / Web Hosting Control Panels
- cPanel / WHM (RCE): 100k USD
- Plesk (RCE): 100k USD
- Webmin (RCE): 100k USD
- Roundcube (RCE): 50k USD
- Horde (RCE): 50k USD
- CentOS Web Panel (RCE): 100k USD
- Ajenti (RCE): 50k USD
- ISPConfig (RCE): 50k USD
- WHMCS (RCE): 50k USD
- Vesta CP (RCE): 50k USD
- DirectAdmin (RCE): 50k USD
- Confluence (RCE): 50k USD
- Squirellmail (RCE): 50k USD
- Other mail servers (RCE): 25k USD
CMS
- WordPress (RCE): 500k USD
- phpBB (RCE): 50k USD
- vBulletin (RCE): 75k USD
- MyBB (RCE): 50k USD
- Joomla (RCE): 40k USD
- Drupal (RCE): 25k USD
- Invision Power Board (RCE): 75k USD
Research & Techniques
- WiFi (RCE): 500k USD
- Code Signing Bypass: 100k USD
- RCE via MitM: 100 000
- Information Disclosure/Leak: 100k USD
- (k)ASLR Bypass: 100k USD
- PIN/Passcode/Touch ID Bypass: 100k USD
- USB (LPE): 50k USD
- CCTV (RCE): 30k USD
- Hikvision DVR (RCE): 50k USD
- Printers (RCE): 25k USD
- NAS (Synology, QNAP) (RCE): 60k USD
Routers & Firewalls
- Cisco (RCE): 100k USD
- Mikrotik (RCE): 100k USD
- D-Link (RCE): 50k USD
- TP-Link (RCE): 50k USD
- Netgear (RCE): 50k USD
- Ubiquiti (RCE): 50k USD
- FortiNet (RCE): 100k USD
- Citrix (RCE): 100k USD
- Sonicwall (RCE): 100k USD
- Huawei (RCE): 100k USD
- Sophos (RCE): 100k USD
- Juniper (RCE): 75k USD
- HP (RCE): 50k USD
Other devices (RCE): KerioControl, Pfsense Firewall, F5 Big-IP, Grafana, LANcom, Linksys, Fritz!Box, Ubiquiti AirCube, TP-Link, OpenWRT, DD-WRT, MikroTik 7
- FC: Full-Chain (usually RCE + SBX + LPE)
- 0C: Zero Click, no user interaction
- 1C: One Click, minimal user interaction (e.g. clicking a link, visiting a website, opening a file)
- P-RCE: Pre-Authenticated Remote Code Execution
- RCE: Remote Code Execution
- LPE/PE/EoP: Local Privilege Escalation/Privilege Escalation/Elevation of Privilege
- SBX: Sandbox Escape
- VME: Virtual Machine Escape
Please be aware that from time to time, we will also propose high-priority bounties, with extra bonuses and private bounties to selected researchers through our Vulnerability Research Hub: be sure not to miss them!
Submission Process
The researcher submits minimal specifications and video proofs of the capability.
Crowdfense reviews the details of the exploit and gives a preliminary evaluation.
The researchers submit the proof of concept to Crowdfense.
Crowdfense reviews the POC and tests the exploit, then sends the final offer.
- The researcher accepts the final offer and agrees on a formal contract.
- The researcher supplies the exploit source code and documentation, and Crowdfense releases the agreed amount.