Exploit Acquisition Program

Since 2017, Crowdfense has operated the world’s most private vulnerability acquisition program, initially backed by a USD 10 million fund and powered by our proprietary Vulnerability Research Hub (VRH) platform.

Today, the program has expanded to USD 30 million, with a broader scope that now includes enterprise software, mobile components, and messaging technologies.

We offer rewards ranging from USD 10,000 to USD 7 million for full exploit chains or previously unreported capabilities. Partial chains and individual components are assessed individually and priced accordingly.

As part of our commitment to the research community, we also offered free high-level technical training to hundreds of vulnerability researchers worldwide.

Scope

As part of this program, Crowdfense exclusively evaluates fully functional, high-quality zero-day exploits targeting the platforms and products listed below.

Note: All payout amounts are “up to” the stated values and are subject to change based on the technical assessment and impact of each submitted capability.

Ready to Submit?

If you’ve discovered a high-value vulnerability, join our Vulnerability Research Hub and reclaim the highest payouts ever!

Start now

High demand

Zero Click Full Chains

  • Android Zero Click Full Chain (e.g Whatsapp, RCS): 5 M USD
  • iOS Zero Click Full Chain (e.g. iMessage): from 5 to 7 M USD

Browsers

  • Chrome (RCE + LPE): from 2 to 3 M USD
  • Chrome (RCE w/o SBX): 500k USD
  • Chrome (SBX): 500k USD
  • Safari (RCE + LPE): from 2,5 to 3,5 M USD
  • Safari (RCE w/o SBX): 500k USD
  • Safari (SBX): from 300 to 400k USD

Single Components

RCE, SBX, PE (either vendor or non-vendor specific), Generic Bypass, Delivery Method or Profiling

Mobile Applications

Other apps: iCloud, Calendar, Email, Signal, FaceTime, Instagram, Telegram, Facebook, Facebook Messenger, Session, Threema, Wire, WeChat

OS

  • Microsoft Windows Zero Click Full Chain: 1 M USD
  • Microsoft Windows (SBX): 150k USD
  • Microsoft Windows (LPE): 100k USD
  • Linux (LPE): 100k USD
  • Apple Mac OS (LPE): 100k USD

Browsers

  • Chrome Full Chain (RCE + SBX + LPE): 1,5 M USD
  • Firefox Full Chain (RCE + SBX + LPE): 300k USD
  • Tor: 500k USD

Clients / Office / Files / Archives

  • Microsoft Outlook (RCE): 250k USD
  • Mozilla Thunderbird (RCE): 200k USD
  • Microsoft Word/Excel (RCE): 500k USD
  • Adobe Acrobat Reader (RCE + SBX): 200k USD
  • WinRAR (RCE): 100k USD
  • 7-zip (RCE): 80k USD
  • WinZip (RCE): 50k USD

Other

  • Antivirus (RCE): 50k USD
  • Antivirus (LPE): 10k USD
  • Microsoft Hyper-V: 500k USD
  • VMWware ESXi: 500k USD
  • VMWware Workstation: 300k USD
  • Parallels Desktop: 300k USD
  • CCTV (RCE): 30k USD
    • Hikvision DVR (RCE): 50k USD
  • NAS (Synology, QNAP) (RCE): 60k USD

Routers, Firewalls & Appliances

  • Cisco (RCE): 100k USD
  • Mikrotik (RCE): 100k USD
  • D-Link (RCE): 50k USD
  • TP-Link (RCE): 50k USD
  • Netgear (RCE): 50k USD
  • Ubiquiti (RCE): 50k USD
  • FortiNet (RCE): 100k USD
  • Citrix (RCE): 100k USD
  • Sonicwall (RCE): 100k USD
  • Huawei (RCE): 100k USD
  • Sophos (RCE): 100k USD
  • Juniper (RCE): 75k USD
  • HP (RCE): 50k USD

Other devices (RCE): KerioControl, Pfsense Firewall, F5 Big-IP, Linksys, TP-Link, OpenWRT

Web Servers

  • Apache HTTP Server (RCE): 500k USD
  • Microsoft IIS (RCE): 500k USD
  • Nginx (RCE): 300k USD
  • Red Hat Jboss (RCE): 50k USD
  • Apache Tomcat (RCE): 50k USD

Email Servers

  • Microsoft Exchange (RCE): 250k USD
  • Sendmail (RCE): 200k USD
  • Postfix (RCE): 200k USD
  • Exim (RCE): 200k USD
  • Dovecot (RCE): 200k USD
  • Other products (RCE): Mdeamon, Icewarp, GFI KerioConnect

IPMI

  • Sun SSP (RCE): 100k USD
  • Dell DRAC (RCE): 100k USD
  • HP iLO (RCE): 100k USD
  • Supermicro IPMI (RCE): 100k USD
  • Cisco CIMC (RCE): 100k USD
  • VNC, TeamViewer, Radmin (RCE): 100k USD
  • Other products (RCE): 50k USD

EMS

  • Microsoft SharePoint (RCE): 250k USD
  • IBM FileNet (RCE): 100k USD
  • Oracle WebCenter (RCE): 100k USD
  • IBM Lotus Domino (RCE): 50k USD

PLM and EPR

  • SAP (RCE): 250k USD
  • Siemens Teamcenter (RCE): 250k USD
  • Oracle ERP (RCE): 200k USD
  • Oracle Agile PML (RCE): 200k USD
  • SPTC Windchill PLM (RCE): 200k USD
  • MentorGraphics HyperLynx SI PLM (RCE): 100k USD
  • Enovia PLM (RCE): 50k USD

Databases

  • MS SQL Server (RCE): 150k USD
  • Oracle Database (RCE): 150k USD
  • MangoDB (RCE): 30k USD
  • MySQL (RCE): 30k USD

FTP

  • Filezilla (RCE): 50k USD
  • Titan (RCE): 30k USD
  • Serv-U (RCE): 20k USD
  • net2ftp (RCE): 10k USD
  • ProFTPD (RCE): 20k USD
  • vsFTPD (RCE): 20k USD

Other Products

  • OpenSSL (RCE): 250k USD
  • PHP (RCE): 250k USD
  • Other products (RCE): GitLab, Jenkins, Ivanti Connect Secure, phpMyAdmin, Atlassian JIRA, Zyxell Network VPN Firewall, Nagios, PRTG, Cacti, SolarWinds Orion, Git Server, GitHub, GitLab enterprise, Zabbix, Bitbucket, Watchguard

Web Apps / Web Hosting Control Panels

  • cPanel / WHM (RCE): 100k USD
  • Plesk (RCE): 100k USD
  • Webmin (RCE): 100k USD
  • Roundcube (RCE): 50k USD
  • Horde (RCE): 50k USD
  • CentOS Web Panel (RCE): 100k USD
  • ISPConfig (RCE): 50k USD
  • WHMCS (RCE): 50k USD
  • Vesta CP (RCE): 50k USD
  • DirectAdmin (RCE): 50k USD
  • Confluence (RCE): 50k USD
  • Squirellmail (RCE): 50k USD
  • Other mail servers (RCE): 25k USD

CMS

  • WordPress (RCE): 500k USD
  • phpBB (RCE): 50k USD
  • vBulletin (RCE): 75k USD
  • MyBB (RCE): 50k USD
  • Joomla (RCE): 40k USD
  • Drupal (RCE): 25k USD
  • Invision Power Board (RCE): 75k USD
  • FC: Full-Chain (usually RCE + SBX + LPE)
  • 0C: Zero Click, no user interaction
  • 1C: One Click, minimal user interaction (e.g. clicking a link, visiting a website, opening a file)
  • P-RCE: Pre-Authenticated Remote Code Execution
  • RCE: Remote Code Execution
  • LPE/PE/EoP: Local Privilege Escalation/Privilege Escalation/Elevation of Privilege
  • SBX: Sandbox Escape
  • VME: Virtual Machine Escape

Please note that we periodically launch high-priority and private bounties, often with additional bonuses, available exclusively to selected researchers through our Vulnerability Research Hub (VRH).
Make sure you’re registered on the platform to receive these notifications and never miss an opportunity!

Submission Process

01

Enrol on VRH

Sign up on the Vulnerability Research Hub (VRH) to initiate the submission process in a secure and confidential environment.

02

Preliminary Contact

Submit minimal technical details and a video proof-of-concept (PoC) demonstrating the exploit’s capabilities.

03

Technical Evaluation & Negotiation

Crowdfense reviews the submission and gathers further information about the exploit’s features, constraints, and impact. If aligned with client interest, a preliminary offer is extended to the researcher.

04

Contract Signature

Once the offer is accepted, both parties enter into a formal acquisition agreement, which defines the terms of exclusivity, ownership, and payment.

05

PoC Submission & Acceptance Testing

The researcher provides the full exploit package, including:

  • Source code
  • Technical analysis
  • Root cause explanation
  • Exploitation methodology

Crowdfense then performs a thorough validation and acceptance test.

06

Payment

Upon successful validation, the agreed payment is released using your preferred method (e.g., bank transfer or cryptocurrency).

Submit. Get Paid. Repeat.

Report your vulnerability on our Vulnerability Research Hub (VRH) platform and reclaim the highest payouts ever!

Start now