Scope

Are theoretically exploitable bugs (e.g. PoC/crash/trigger only) eligible?

voidsec2024-03-05T21:28:46+04:00No. We only acquire vulnerabilities proven to be exploitable and accompanied by a fully functional exploit working with the latest stable versions of the affected software/system/device. Feel free to contact us if you think that your research may still be eligible.

Are partial exploits (e.g. browser RCE w/o sandbox escape) eligible?

voidsec2024-03-05T21:28:40+04:00Yes. We can acquire either individual exploits (e.g. a browser RCE without a sandbox escape or a sandbox escape alone without any browser exploit) or chained/combined exploits.

Do you also acquire techniques or mitigation bypass?

voidsec2024-03-05T21:28:34+04:00We will be glad to discuss and make offers for zero-day exploits and innovative research, exploitation techniques, or mitigation bypasses. Please get in touch with us to further discuss your findings.

What if I found a vulnerability and it is not on your scope?

voidsec2024-03-05T21:28:28+04:00We can evaluate, on a case-by-case basis, bugs outside our scope. We usually need more time for this cases since an appropriate buyer must be found and the interest confirmed. Is a vulnerability not on our scope? Please send us an email ; we can still help.

Which products and/or software are eligible? What is Crowdfense’s scope?

voidsec2024-03-05T21:28:22+04:00We acquire vulnerability research and exploits affecting recent operating systems, software, and devices. Please refer to our Exploit Acquisition Program for a list of eligible products and scope.