Since 2017, Crowdfense has operated the world’s most private vulnerability acquisition program, initially backed by a USD 10 million fund and powered by our proprietary Vulnerability Research Hub (VRH) platform.
Today, the program has expanded to USD 30 million, with a broader scope that now includes enterprise software, mobile components, and messaging technologies.
We offer rewards ranging from USD 10,000 to USD 7 million for full exploit chains or previously unreported capabilities. Partial chains and individual components are assessed individually and priced accordingly.
As part of our commitment to the research community, we also offered free high-level technical training to hundreds of vulnerability researchers worldwide.
Scope
As part of this program, Crowdfense exclusively evaluates fully functional, high-quality zero-day exploits targeting the platforms and products listed below.
Note: All payout amounts are “up to” the stated values and are subject to change based on the technical assessment and impact of each submitted capability.
Zero Click Full Chains
- Android Zero Click Full Chain (e.g Whatsapp, RCS): 5 M USD
- iOS Zero Click Full Chain (e.g. iMessage): from 5 to 7 M USD
Browsers
- Chrome (RCE + LPE): from 2 to 3 M USD
- Chrome (RCE w/o SBX): 500k USD
- Chrome (SBX): 500k USD
- Safari (RCE + LPE): from 2,5 to 3,5 M USD
- Safari (RCE w/o SBX): 500k USD
- Safari (SBX): from 300 to 400k USD
Single Components
RCE, SBX, PE (either vendor or non-vendor specific), Generic Bypass, Delivery Method or Profiling
Mobile Applications
Other apps: iCloud, Calendar, Email, Signal, FaceTime, Instagram, Telegram, Facebook, Facebook Messenger, Session, Threema, Wire, WeChat
OS
- Microsoft Windows Zero Click Full Chain: 1 M USD
- Microsoft Windows (SBX): 150k USD
- Microsoft Windows (LPE): 100k USD
- Linux (LPE): 100k USD
- Apple Mac OS (LPE): 100k USD
Browsers
- Chrome Full Chain (RCE + SBX + LPE): 1,5 M USD
- Firefox Full Chain (RCE + SBX + LPE): 300k USD
- Tor: 500k USD
Clients / Office / Files / Archives
- Microsoft Outlook (RCE): 250k USD
- Mozilla Thunderbird (RCE): 200k USD
- Microsoft Word/Excel (RCE): 500k USD
- Adobe Acrobat Reader (RCE + SBX): 200k USD
- WinRAR (RCE): 100k USD
- 7-zip (RCE): 80k USD
- WinZip (RCE): 50k USD
Other
- Antivirus (RCE): 50k USD
- Antivirus (LPE): 10k USD
- Microsoft Hyper-V: 500k USD
- VMWware ESXi: 500k USD
- VMWware Workstation: 300k USD
- Parallels Desktop: 300k USD
- CCTV (RCE): 30k USD
- Hikvision DVR (RCE): 50k USD
- NAS (Synology, QNAP) (RCE): 60k USD
Routers, Firewalls & Appliances
- Cisco (RCE): 100k USD
- Mikrotik (RCE): 100k USD
- D-Link (RCE): 50k USD
- TP-Link (RCE): 50k USD
- Netgear (RCE): 50k USD
- Ubiquiti (RCE): 50k USD
- FortiNet (RCE): 100k USD
- Citrix (RCE): 100k USD
- Sonicwall (RCE): 100k USD
- Huawei (RCE): 100k USD
- Sophos (RCE): 100k USD
- Juniper (RCE): 75k USD
- HP (RCE): 50k USD
Other devices (RCE): KerioControl, Pfsense Firewall, F5 Big-IP, Linksys, TP-Link, OpenWRT
Web Servers
- Apache HTTP Server (RCE): 500k USD
- Microsoft IIS (RCE): 500k USD
- Nginx (RCE): 300k USD
- Red Hat Jboss (RCE): 50k USD
- Apache Tomcat (RCE): 50k USD
Email Servers
- Microsoft Exchange (RCE): 250k USD
- Sendmail (RCE): 200k USD
- Postfix (RCE): 200k USD
- Exim (RCE): 200k USD
- Dovecot (RCE): 200k USD
- Other products (RCE): Mdeamon, Icewarp, GFI KerioConnect
IPMI
- Sun SSP (RCE): 100k USD
- Dell DRAC (RCE): 100k USD
- HP iLO (RCE): 100k USD
- Supermicro IPMI (RCE): 100k USD
- Cisco CIMC (RCE): 100k USD
- VNC, TeamViewer, Radmin (RCE): 100k USD
- Other products (RCE): 50k USD
EMS
- Microsoft SharePoint (RCE): 250k USD
- IBM FileNet (RCE): 100k USD
- Oracle WebCenter (RCE): 100k USD
- IBM Lotus Domino (RCE): 50k USD
PLM and EPR
- SAP (RCE): 250k USD
- Siemens Teamcenter (RCE): 250k USD
- Oracle ERP (RCE): 200k USD
- Oracle Agile PML (RCE): 200k USD
- SPTC Windchill PLM (RCE): 200k USD
- MentorGraphics HyperLynx SI PLM (RCE): 100k USD
- Enovia PLM (RCE): 50k USD
Databases
- MS SQL Server (RCE): 150k USD
- Oracle Database (RCE): 150k USD
- MangoDB (RCE): 30k USD
- MySQL (RCE): 30k USD
FTP
- Filezilla (RCE): 50k USD
- Titan (RCE): 30k USD
- Serv-U (RCE): 20k USD
- net2ftp (RCE): 10k USD
- ProFTPD (RCE): 20k USD
- vsFTPD (RCE): 20k USD
Other Products
- OpenSSL (RCE): 250k USD
- PHP (RCE): 250k USD
- Other products (RCE): GitLab, Jenkins, Ivanti Connect Secure, phpMyAdmin, Atlassian JIRA, Zyxell Network VPN Firewall, Nagios, PRTG, Cacti, SolarWinds Orion, Git Server, GitHub, GitLab enterprise, Zabbix, Bitbucket, Watchguard
Web Apps / Web Hosting Control Panels
- cPanel / WHM (RCE): 100k USD
- Plesk (RCE): 100k USD
- Webmin (RCE): 100k USD
- Roundcube (RCE): 50k USD
- Horde (RCE): 50k USD
- CentOS Web Panel (RCE): 100k USD
- ISPConfig (RCE): 50k USD
- WHMCS (RCE): 50k USD
- Vesta CP (RCE): 50k USD
- DirectAdmin (RCE): 50k USD
- Confluence (RCE): 50k USD
- Squirellmail (RCE): 50k USD
- Other mail servers (RCE): 25k USD
CMS
- WordPress (RCE): 500k USD
- phpBB (RCE): 50k USD
- vBulletin (RCE): 75k USD
- MyBB (RCE): 50k USD
- Joomla (RCE): 40k USD
- Drupal (RCE): 25k USD
- Invision Power Board (RCE): 75k USD
- FC: Full-Chain (usually RCE + SBX + LPE)
- 0C: Zero Click, no user interaction
- 1C: One Click, minimal user interaction (e.g. clicking a link, visiting a website, opening a file)
- P-RCE: Pre-Authenticated Remote Code Execution
- RCE: Remote Code Execution
- LPE/PE/EoP: Local Privilege Escalation/Privilege Escalation/Elevation of Privilege
- SBX: Sandbox Escape
- VME: Virtual Machine Escape
Please note that we periodically launch high-priority and private bounties, often with additional bonuses, available exclusively to selected researchers through our Vulnerability Research Hub (VRH).
Make sure you’re registered on the platform to receive these notifications and never miss an opportunity!
Submission Process
Sign up on the Vulnerability Research Hub (VRH) to initiate the submission process in a secure and confidential environment.
Submit minimal technical details and a video proof-of-concept (PoC) demonstrating the exploit’s capabilities.
Crowdfense reviews the submission and gathers further information about the exploit’s features, constraints, and impact. If aligned with client interest, a preliminary offer is extended to the researcher.
Once the offer is accepted, both parties enter into a formal acquisition agreement, which defines the terms of exclusivity, ownership, and payment.
The researcher provides the full exploit package, including:
- Source code
- Technical analysis
- Root cause explanation
- Exploitation methodology
Crowdfense then performs a thorough validation and acceptance test.
Upon successful validation, the agreed payment is released using your preferred method (e.g., bank transfer or cryptocurrency).