FAQs

Yes, please register to our Vulnerability Research Hub (VRH) platform to use its template and speed up the validation and confirmation of your discovery.
We take the privacy of researchers very seriously; we will never disclose to any third party (including customers) any personal information about researchers, such as names, aliases, email addresses, bank details, or any other personal or confidential information. We even restrict internal access to your data on a need-to-know basis and use your personal information for the sole purpose of processing payments. All messages we receive and send on VRH or via email are encrypted with PGP. VRH data is encrypted at rest; we employ HSM on our server and routinely perform security testing on our infrastructure and services.
Crowdfense usually pays researchers through international bank transfers. Where confidentiality is important, we can also pay using cryptocurrencies. Crowdfense pays some bounties in multiple instalments to ensure that the research will meet a minimum lifespan requirement. From time to time, we will propose high-priority bounties, with extra bonuses and private bounties to selected researchers through our Vulnerability Research Hub (VRH): be sure not to miss them!
After assessing and approving the research, we will send you the final acquisition offer and the agreement. By signing the agreement, you accept the exclusive sale (unless differently agreed) of your research to Crowdfense and fully transfer all related intellectual property rights to us, meaning that the research becomes the exclusive property of Crowdfense. You are not allowed to re-sell, share, publish, or report the research to any other person or entity at any time.
The final offer sent by Crowdfense to acquire your exploit, after your submission is thoroughly reviewed and validated, will depend on the scope of the bug(s) (affected products, criticality, attack vector, required configuration, user interaction, limitations, etc), but also on the quality of the exploit (reliability, bypassed exploit mitigations, covered versions/systems/platforms, process continuation, no hardcoded offsets or ROP, etc).
No. We only acquire vulnerabilities proven to be exploitable and accompanied by a fully functional exploit working with the latest stable versions of the affected software/system/device. Feel free to contact us if you think that your research may still be eligible.
Yes. We can acquire either individual exploits (e.g. a browser RCE without a sandbox escape or a sandbox escape alone without any browser exploit) or chained/combined exploits.
We will be glad to discuss and make offers for zero-day exploits and innovative research, exploitation techniques, or mitigation bypasses. Please get in touch with us to further discuss your findings.
We can evaluate, on a case-by-case basis, bugs outside our scope. We usually need more time for this cases since an appropriate buyer must be found and the interest confirmed. Is a vulnerability not on our scope? Please send us an email ; we can still help.
We acquire high-risk vulnerabilities accompanied by a fully functional and reliable exploit. Please refer to our Exploit Acquisition Program for a list of eligible exploits and scope.