About Bounties Archives

Do you have a standard specifications template?

Yes, please register to our Vulnerability Research Hub (VRH) platform to use its template and speed up the validation and confirmation of your discovery.

How do you protect the privacy and confidentiality of researcher’s information?

We take the privacy of researchers very seriously; we will never disclose to any third party (including customers) any personal information about researchers, such as names, aliases, email addresses, bank details, or any other personal or confidential information. We even restrict internal access to your data on a need-to-know basis and use your personal information for the sole purpose of processing payments. All messages we receive and send on VRH or via email are encrypted with PGP. VRH data is encrypted at rest; we employ HSM on our server and routinely perform security testing on our infrastructure and services.

Which payment methods and bonuses are available?

Crowdfense usually pays researchers through international bank transfers. Where confidentiality is important, we can also pay using cryptocurrencies. Crowdfense pays some bounties in multiple instalments to ensure that the research will meet a minimum lifespan requirement. From time to time, we will propose high-priority bounties, with extra bonuses and private bounties to selected researchers through our Vulnerability Research Hub (VRH): be sure not to miss them!

What happens after accepting an acquisition offer from Crowdfense?

After assessing and approving the research, we will send you the final acquisition offer and the agreement. By signing the agreement, you accept the exclusive sale (unless differently agreed) of your research to Crowdfense and fully transfer all related intellectual property rights to us, meaning that the research becomes the exclusive property of Crowdfense. You are not allowed to re-sell, share, publish, or report the research to any other person or entity at any time.

How can I increase the potential bounty/reward for my research?

The final offer sent by Crowdfense to acquire your exploit, after your submission is thoroughly reviewed and validated, will depend on the scope of the bug(s) (affected products, criticality, attack vector, required configuration, user interaction, limitations, etc), but also on the quality of the exploit (reliability, bypassed exploit mitigations, covered versions/systems/platforms, process continuation, no hardcoded offsets or ROP, etc).

Are theoretically exploitable bugs (e.g. PoC/crash/trigger only) eligible?

No. We only acquire vulnerabilities proven to be exploitable and accompanied by a fully functional exploit working with the latest stable versions of the affected software/system/device. Feel free to contact us if you think that your research may still be eligible.

Are partial exploits (e.g. browser RCE w/o sandbox escape) eligible?

Yes. We can acquire either individual exploits (e.g. a browser RCE without a sandbox escape or a sandbox escape alone without any browser exploit) or chained/combined exploits.

Do you also acquire techniques or mitigation bypass?

We will be glad to discuss and make offers for zero-day exploits and innovative research, exploitation techniques, or mitigation bypasses. Please get in touch with us to further discuss your findings.

What if I found a vulnerability and it is not on your scope?

We can evaluate, on a case-by-case basis, bugs outside our scope. We usually need more time for this cases since an appropriate buyer must be found and the interest confirmed. Is a vulnerability not on our scope? Please send us an email ; we can still help.

Which products and/or software are eligible? What is Crowdfense’s scope?

We acquire vulnerability research and exploits affecting recent operating systems, software, and devices. Please refer to our Exploit Acquisition Program for a list of eligible products and scope.