Scope

No, Crowdfense only acquires vulnerabilities that are proven to be practically exploitable and accompanied by a fully functional, reliable exploit targeting the latest stable versions of the affected software, system, or device.

We require working proof-of-concept code that demonstrates real-world exploitation potential.

However, if you believe your research holds exceptional value or could be developed into a complete exploit, feel free to contact us. We’re always open to discussing promising edge cases.

Yes, Crowdfense accepts both standalone and chained exploits.

We are open to acquiring:

  • Individual exploit components, such as a browser RCE without a sandbox escape, or a sandbox escape on its own

  • Full exploit chains, combining multiple stages (e.g., RCE + sandbox escape + privilege escalation)

As long as the submitted component demonstrates real-world impact and meets our quality standards, it will be evaluated and priced accordingly.

Yes. In addition to zero-day vulnerabilities and full exploits, Crowdfense is actively interested in acquiring:

  • Novel exploitation techniques

  • Mitigation bypasses (e.g., defeating DEP, ASLR, CFG, PAC, etc.)

  • Innovative research that advances offensive capabilities

If you’ve developed a unique method or breakthrough in exploit development, we’re open to evaluating it and making a competitive offer.

Contact us directly to discuss your findings in a confidential setting.

If you’ve discovered a high-quality vulnerability that falls outside our listed scope, we’re still open to evaluating it on a case-by-case basis.

In such situations, the review process may take longer, as we need to assess potential buyer interest and ensure it aligns with our acquisition policies and procedures.

Have something valuable that’s not currently in scope?
Reach out to us via email; we may still be able to help.

We acquire vulnerability research and exploits affecting modern, widely used operating systems, applications, and devices, including mobile, desktop, embedded, and enterprise platforms.

Our focus is primarily on zero-day vulnerabilities; however, from time to time, we may also acquire recent n-day vulnerabilities (typically up to six months old) for mobile platforms, depending on their impact and exploitability.

For a detailed list of in-scope targets and requirements, please refer to our Exploit Acquisition Program.