Payout

Which payment methods and bonuses are available?

voidsec2025-07-17T12:43:51+04:00Crowdfense usually pays researchers through international bank transfers. Where confidentiality is a concern, we can also provide payments using cryptocurrencies, such as Bitcoin (BTC).

In some cases, bounties are paid in multiple instalments, especially when a minimum exploit lifespan is required.

We also regularly launch high-priority and private bounties through the Vulnerability Research Hub (VRH), offering extra bonuses for time-sensitive or particularly valuable submissions.

Stay active on the VRH to avoid missing exclusive opportunities!

How can I increase the potential bounty/reward for my research?

voidsec2025-07-17T13:45:36+04:00

The final acquisition offer from Crowdfense is based on both the impact of the vulnerability and the technical quality of the exploit. To maximise your reward, consider the following factors:

Vulnerability Scope & Impact

• Targeting widely used products or platforms increases value

• Higher severity bugs (e.g., RCEs, sandbox escapes) are rewarded more than lower-impact ones (e.g., LPEs)

• Bugs that require minimal configuration changes or user interaction are more attractive

• Broader coverage across multiple versions or systems boosts payout potential

Exploit Quality

• High reliability and stability across different environments

• Bypasses for modern exploit mitigations (e.g., DEP, ASLR, CFG)

• Support for process continuation or clean post-exploitation state

• Clean implementation, no hardcoded offsets, no brittle ROP chains

• Fully documented technical analysis and root cause breakdown

The more impactful, versatile, and professionally packaged your submission is, the more valuable it becomes.

How much can I earn by reporting a vulnerability to Crowdfense?

voidsec2025-07-17T12:59:22+04:00

The payout depends on several key factors, including:

• Target popularity: Vulnerabilities in widely deployed software or hardware receive significantly higher rewards.

• Bug impact and scope: The more critical the vulnerability (e.g., RCE vs. LPE), and the broader the affected products or platforms, the higher the value.

• Exploit quality: We assess the reliability, sophistication, and completeness of your exploit:

  • Bypasses exploit mitigations

  • Works across multiple versions/platforms

  • Requires minimal/no user interaction

  • No hardcoded offsets or fragile techniques

  • Supports process continuation (where applicable)

Example:

An unauthenticated remote code execution (RCE) vulnerability with a robust, cross-version exploit will earn significantly more than a local privilege escalation (LPE) with limited reach.

Crowdfense consistently pays the highest bounties in the industry, with payouts designed to match the real-world impact of your research.