FAQs Archive - Page 2 of 3

Which products and/or software are eligible? What is Crowdfense’s scope?

We acquire vulnerability research and exploits affecting recent operating systems, software, and devices. Please refer to our Exploit Acquisition Program for a list of eligible products and scope.

What is VRH?

The Vulnerability Research Hub (VRH) is our unique private collaboration platform, a safe environment where researchers can anonymously submit, discuss and sell single zero-day and chains of exploits. To know more about it, visit our researchers page or sign-up on VRH .

How do I submit my zero-day research to Crowdfense? What is your submission process?

Our submission process is straightforward. All research and exploits must be sent to Crowdfense using our Vulnerability Research Hub (VRH) platform. Initial submission must include the required specifications, necessary to evaluate your submission, alongside a video POC. All final submissions must include a fully functional exploit with source code, a technical analysis including a description of the root cause of the bug(s) and exploitation method(s).

How much can I earn from working with you?

The amount paid depends on multiple variables:

How widespread is the software/hardware? Popular products typically reach higher amounts.
The scope of the bug(s) (affected products, criticality, attack vector, required configuration, user interaction, limitations, etc)
The quality of the exploit (reliability, bypassed exploit mitigations, covered versions/systems/platforms, process continuation, no hardcoded offsets or ROP, etc).

For example, if you find an unauthenticated remote code execution (RCE) vulnerability, you would be paid substantially more than for a privilege escalation (LPE/EoP) vulnerability.

Can I receive a pre-offer from Crowdfense before I submit my full research?

Sure, you can receive a pre-offer for your research without disclosing it. Simply submit minimal technical details alongside a video POC on our Vulnerability Research Hub (VRH) platform. We will evaluate the details and send you a pre-offer if the research meets our requirements. The offer will be confirmed after we review, assess and approve the complete research.

Who can participate in the Crowdfense program and submit exploits?

Any company or individual can submit zero-day research and participate in our Exploit Acquisition Program .

What are the benefits of reporting a vulnerability to Crowdfense instead of reporting directly to the vendor?

We pay the highest bounties in the industry. Our payouts will exceed everything that a vendor can offer. We believe researchers need to get paid for their efforts, and we are willing to offer higher rewards. Our Vulnerability Research Hub (VRH) offers a streamlined process from vulnerability submission to reclaiming your bounty.

Why submit through Crowdfense?

We pay the highest bounties in the industry. We believe researchers need to get paid for their efforts, and we are willing to offer higher rewards. Our Vulnerability Research Hub (VRH) offers a streamlined process from vulnerability submission to reclaiming your bounty.

Is Crowdfense hiring security researchers?

We often seek vulnerability researchers to join our internal zero-day research team. Crowdfense researchers conduct cutting-edge vulnerability research and exploit development. They find zero-day vulnerabilities, write in-depth root-cause analyses, contextualise the vulnerabilities and attack vectors, and identify patterns in emerging and established attack surface areas. Visit our careers page to find employment opportunities.

Who are Crowdfense’s customers?

Crowdfense customers are government institutions in need of advanced zero-day exploits and cyber security capabilities. Crowdfense adheres to unparalleled export control, compliance, due diligence, and vetting standards to ensure transparency and accountability for the world’s most trusted vulnerability acquisition platform.