Exploit Acquisition Program

In 2017, our 10M USD bug bounty program was very well received by researchers, together with our unique “Vulnerability Research Hub” (VRH) online platform.

We also offered free high-level technical training sessions to hundreds of vulnerability researchers around the world as a part of our commitment to support the research Community.

Now we are offering a larger 30M USD acquisition program, extending its scope to include other important research areas like enterprise software, mobile single components and messengers.

Payouts for full-chains or previously unreported capabilities, range from USD 10,000 to USD 7 million per successful submission. Partial chains and single components will be evaluated on a case-by-case basis and priced proportionally.

Scope

Within this program, Crowdfense evaluates only fully functional, top-quality zero-day exploits affecting the following platforms and products.

Note: All the prices are considered up to the specified value, pending evaluation of the submitted capability.

High Demand Bug Bounties

To view the list of our high-demand, high-priority or time-sensitive bounties, register to our VRH platform.

Reclaim your bounty!

High demand

Zero Click Full Chains

  • Android Zero Click Full Chain (e.g Whatsapp, RCS): 5 M USD
  • iOS Zero Click Full Chain (e.g. iMessage): from 5 to 7 M USD

Browsers

  • Chrome (RCE + LPE): from 2 to 3 M USD
  • Chrome (RCE w/o SBX): 500k USD
  • Chrome (SBX): 500k USD
  • Safari (RCE + LPE): from 2,5 to 3,5 M USD
  • Safari (RCE w/o SBX): 500k USD
  • Safari (SBX): from 300 to 400k USD

Single Components

RCE, SBX, PE (either vendor or non-vendor specific), Generic Bypass, Delivery Method or Profiling

Mobile Applications

Other apps: iCloud, Calendar, Email, Signal, FaceTime, Instagram, Telegram, Facebook, Facebook Messenger, Session, Threema, Wire, WeChat

OS

  • Microsoft Windows Zero Click Full Chain: 1 M USD
  • Microsoft Windows (SBX): 150k USD
  • Microsoft Windows (LPE): 100k USD
  • Linux (LPE): 100k USD
  • Apple Mac OS (LPE): 100k USD

Browsers

  • Chrome Full Chain (RCE + SBX + LPE): 1,5 M USD
  • Firefox Full Chain (RCE + SBX + LPE): 300k USD
  • Tor: 500k USD

Clients / Office / Files / Archives

  • Microsoft Outlook (RCE): 250k USD
  • Mozilla Thunderbird (RCE): 200k USD
  • Microsoft Word/Excel (RCE): 500k USD
  • Adobe Acrobat Reader (RCE + SBX): 200k USD
  • WinRAR (RCE): 100k USD
  • 7-zip (RCE): 80k USD
  • WinZip (RCE): 50k USD

Other

  • Antivirus (RCE): 50k USD
  • Antivirus (LPE): 10k USD
  • Microsoft Hyper-V: 500k USD
  • VMWware ESXi: 500k USD
  • VMWware Workstation: 300k USD
  • Parallels Desktop: 300k USD
  • CCTV (RCE): 30k USD
    • Hikvision DVR (RCE): 50k USD
  • NAS (Synology, QNAP) (RCE): 60k USD

Routers, Firewalls & Appliances

  • Cisco (RCE): 100k USD
  • Mikrotik (RCE): 100k USD
  • D-Link (RCE): 50k USD
  • TP-Link (RCE): 50k USD
  • Netgear (RCE): 50k USD
  • Ubiquiti (RCE): 50k USD
  • FortiNet (RCE): 100k USD
  • Citrix (RCE): 100k USD
  • Sonicwall (RCE): 100k USD
  • Huawei (RCE): 100k USD
  • Sophos (RCE): 100k USD
  • Juniper (RCE): 75k USD
  • HP (RCE): 50k USD

Other devices (RCE): KerioControl, Pfsense Firewall, F5 Big-IP, Linksys, TP-Link, OpenWRT

Web Servers

  • Apache HTTP Server (RCE): 500k USD
  • Microsoft IIS (RCE): 500k USD
  • Nginx (RCE): 300k USD
  • Red Hat Jboss (RCE): 50k USD
  • Apache Tomcat (RCE): 50k USD

Email Servers

  • Microsoft Exchange (RCE): 250k USD
  • Sendmail (RCE): 200k USD
  • Postfix (RCE): 200k USD
  • Exim (RCE): 200k USD
  • Dovecot (RCE): 200k USD
  • Other products (RCE): Mdeamon, Icewarp, GFI KerioConnect

IPMI

  • Sun SSP (RCE): 100k USD
  • Dell DRAC (RCE): 100k USD
  • HP iLO (RCE): 100k USD
  • Supermicro IPMI (RCE): 100k USD
  • Cisco CIMC (RCE): 100k USD
  • VNC, TeamViewer, Radmin (RCE): 100k USD
  • Other products (RCE): 50k USD

EMS

  • Microsoft SharePoint (RCE): 250k USD
  • IBM FileNet (RCE): 100k USD
  • Oracle WebCenter (RCE): 100k USD
  • IBM Lotus Domino (RCE): 50k USD

PLM and EPR

  • SAP (RCE): 250k USD
  • Siemens Teamcenter (RCE): 250k USD
  • Oracle ERP (RCE): 200k USD
  • Oracle Agile PML (RCE): 200k USD
  • SPTC Windchill PLM (RCE): 200k USD
  • MentorGraphics HyperLynx SI PLM (RCE): 100k USD
  • Enovia PLM (RCE): 50k USD

Databases

  • MS SQL Server (RCE): 150k USD
  • Oracle Database (RCE): 150k USD
  • MangoDB (RCE): 30k USD
  • MySQL (RCE): 30k USD

FTP

  • Filezilla (RCE): 50k USD
  • Titan (RCE): 30k USD
  • Serv-U (RCE): 20k USD
  • net2ftp (RCE): 10k USD
  • ProFTPD (RCE): 20k USD
  • vsFTPD (RCE): 20k USD

Other Products

  • OpenSSL (RCE): 250k USD
  • PHP (RCE): 250k USD
  • Other products (RCE): GitLab, Jenkins, Ivanti Connect Secure, phpMyAdmin, Atlassian JIRA, Zyxell Network VPN Firewall, Nagios, PRTG, Cacti, SolarWinds Orion, Git Server, GitHub, GitLab enterprise, Zabbix, Bitbucket, Watchguard

Web Apps / Web Hosting Control Panels

  • cPanel / WHM (RCE): 100k USD
  • Plesk (RCE): 100k USD
  • Webmin (RCE): 100k USD
  • Roundcube (RCE): 50k USD
  • Horde (RCE): 50k USD
  • CentOS Web Panel (RCE): 100k USD
  • ISPConfig (RCE): 50k USD
  • WHMCS (RCE): 50k USD
  • Vesta CP (RCE): 50k USD
  • DirectAdmin (RCE): 50k USD
  • Confluence (RCE): 50k USD
  • Squirellmail (RCE): 50k USD
  • Other mail servers (RCE): 25k USD

CMS

  • WordPress (RCE): 500k USD
  • phpBB (RCE): 50k USD
  • vBulletin (RCE): 75k USD
  • MyBB (RCE): 50k USD
  • Joomla (RCE): 40k USD
  • Drupal (RCE): 25k USD
  • Invision Power Board (RCE): 75k USD
  • FC: Full-Chain (usually RCE + SBX + LPE)
  • 0C: Zero Click, no user interaction
  • 1C: One Click, minimal user interaction (e.g. clicking a link, visiting a website, opening a file)
  • P-RCE: Pre-Authenticated Remote Code Execution
  • RCE: Remote Code Execution
  • LPE/PE/EoP: Local Privilege Escalation/Privilege Escalation/Elevation of Privilege
  • SBX: Sandbox Escape
  • VME: Virtual Machine Escape

Please be aware that from time to time, we will also propose high-priority bounties, with extra bonuses and private bounties to selected researchers through our Vulnerability Research Hub: be sure not to miss them!

Submit your Research

If you have what it takes, join our Vulnerability Research Hub, report your vulnerability and reclaim the highest payouts ever!

Start now

Submission Process

01

VRH

The researcher enrols on the Vulnerability Research Hub (VRH) platform.

02

Preliminary Contact

The researcher submits minimal technical specifications and video proof of the capability.

03

Technical Specification Evaluation and Negotiation

  • Crowdfense reviews the details of the exploit and gathers more feedback on the submitted asset, its features and constraints.
  • Pending clients’ interest, Crowdfense proposes a preliminary offer.

04

Contract Signature

The researcher accepts the offer and agrees on a formal contract.

05

POC Evaluation and Acceptance Test

  • The researcher supplies the exploit source code and documentation.
  • Crowdfense reviews the POC and tests the exploit.

06

Payment

Crowdfense releases the agreed amount.

Submit your Research

If you have what it takes, join our Vulnerability Research Hub, report your vulnerability and reclaim the highest payouts ever!

Start now