Which products or software are eligible? What is Crowdfense’s scope?
We acquire vulnerability research and exploits affecting modern, widely used operating systems, applications, and devices, including mobile, desktop, embedded, and enterprise platforms.
Our focus is primarily on zero-day vulnerabilities; however, from time to time, we may also acquire recent n-day vulnerabilities (typically up to six months old) for mobile platforms, depending on their impact and exploitability.
For a detailed list of in-scope targets and requirements, please refer to our Exploit Acquisition Program.
What is the Vulnerability Research Hub (VRH)?
The Vulnerability Research Hub (VRH) is Crowdfense’s exclusive, private platform designed for top-tier security researchers. It provides a secure and confidential environment to:
-
Anonymously submit and manage zero-day vulnerabilities and exploit chains
-
Collaborate with our technical team throughout the evaluation process
-
Track submission status and access exclusive private bounties and bonuses
Whether you're submitting a single exploit or building a long-term relationship, VRH is your gateway to maximise rewards and engage safely with the world’s most trusted acquisition platform.
To learn more, visit our researchers page or sign-up on VRH.
How do I submit my zero-day research to Crowdfense? What is the submission process?
Submitting your vulnerability research to Crowdfense is a secure and streamlined process designed to protect your work, ensure fair evaluation, and deliver prompt rewards.
All submissions are handled through our Vulnerability Research Hub (VRH), our private, encrypted platform built exclusively for trusted researchers.
Submission Process Overview
01. Enrol on VRH
Sign up on the Vulnerability Research Hub (VRH) to initiate the submission process in a secure and confidential environment.
02. Preliminary Contact
Submit minimal technical details and a video proof-of-concept (PoC) demonstrating the exploit’s capabilities.
03. Technical Evaluation & Negotiation
Crowdfense reviews the submission and gathers further information about the exploit’s features, constraints, and impact.
If aligned with client interest, a preliminary offer is extended to the researcher.
04. Contract Signature
Once the offer is accepted, both parties enter into a formal acquisition agreement, which defines the terms of exclusivity, ownership, and payment.
05. PoC Submission & Acceptance Testing
You provide the full exploit package, including:
- Source code
- Technical analysis
- Root cause explanation
- Exploitation methodology
Crowdfense then performs a thorough validation and acceptance test.
06. Payment
Upon successful validation, the agreed payment is released using your preferred method (e.g., bank transfer or cryptocurrency).
How much can I earn by reporting a vulnerability to Crowdfense?
The payout depends on several key factors, including:
-
Target popularity: Vulnerabilities in widely deployed software or hardware receive significantly higher rewards.
-
Bug impact and scope: The more critical the vulnerability (e.g., RCE vs. LPE), and the broader the affected products or platforms, the higher the value.
-
Exploit quality: We assess the reliability, sophistication, and completeness of your exploit:
-
Bypasses exploit mitigations
-
Works across multiple versions/platforms
-
Requires minimal/no user interaction
-
No hardcoded offsets or fragile techniques
-
Supports process continuation (where applicable)
-
Example:
An unauthenticated remote code execution (RCE) vulnerability with a robust, cross-version exploit will earn significantly more than a local privilege escalation (LPE) with limited reach.
Crowdfense consistently pays the highest bounties in the industry, with payouts designed to match the real-world impact of your research.
Can I receive a pre-offer from Crowdfense before submitting my full research?
Yes, and unlike many other platforms, Crowdfense never requires you to disclose your full research, source code, or intellectual property before a formal agreement is in place.
To receive a preliminary offer, simply submit via our secure Vulnerability Research Hub (VRH)
-
Minimal technical specifications
-
A video proof-of-concept (PoC)
These details are sufficient for Crowdfense and our clients to conduct a preliminary evaluation and assess interest.
If your submission meets our criteria, we’ll issue a pre-offer. The complete research package, including source code, documentation, and technical analysis, is only required after both parties sign a formal acquisition contract.
This ensures you maintain complete control of your intellectual property until terms are clearly defined and agreed upon.
Who can submit vulnerabilities to Crowdfense?
Any individual researcher or company with original zero-day research is welcome to participate in our Exploit Acquisition Program.
We work with both independent experts and established teams from around the world. As long as the submission is legitimate, high-quality, and meets our criteria, you’re eligible to engage with us and be rewarded accordingly.
What are the benefits of reporting a vulnerability to Crowdfense instead of the vendor?
While vendors may offer limited rewards and impose disclosure constraints, Crowdfense provides a more rewarding, efficient, and researcher-centric alternative.
Key benefits:
-
Significantly higher payouts: We offer the highest bounties in the industry, far exceeding typical vendor rewards.
-
No public disclosure pressure: Unlike vendors, we don’t require you to follow coordinated disclosure timelines or share your work publicly.
-
Full confidentiality: Your identity and submission are handled with strict discretion.
-
Streamlined process: Our Vulnerability Research Hub (VRH) makes it easy to securely submit, track, and get paid for your research.
By reporting to Crowdfense, you maintain control, confidentiality, and maximum reward for your work.
Why should I submit a vulnerability through Crowdfense?
At Crowdfense, we offer the highest payouts in the industry for high-impact vulnerabilities. We believe top-tier researchers deserve top-tier rewards, and we back that belief with real, competitive compensation.
Our Vulnerability Research Hub (VRH) provides a secure, streamlined, and transparent submission process, guiding you from the initial report to final payout with complete confidentiality and expert support.
Whether you're submitting a single exploit or building a long-term relationship, Crowdfense ensures that your work is valued, protected, and rewarded.
Is Crowdfense hiring security researchers?
We often seek vulnerability researchers to join our internal zero-day research team. Crowdfense researchers conduct cutting-edge vulnerability research and exploit development. They find zero-day vulnerabilities, write in-depth root-cause analyses, contextualise the vulnerabilities and attack vectors, and identify patterns in emerging and established attack surface areas. Visit our careers page to find employment opportunities.Who are Crowdfense’s customers?
Crowdfense collaborates with government institutions, including national security, intelligence, and law enforcement agencies (LEAs), as well as trusted system integrators that require access to advanced zero-day exploits and cybersecurity capabilities.
We maintain rigorous export control, compliance, and due diligence protocols, applying the highest vetting standards in the industry. This ensures that every partnership is conducted with complete transparency, accountability, and legal oversight.
