About Bounties

The Vulnerability Research Hub (VRH) is our unique private collaboration platform, a safe environment where researchers can anonymously submit, discuss and sell single zero-day and chains of exploits. To know more about it, visit our researchers page or sign-up on VRH .
Our submission process is straightforward. All research and exploits must be sent to Crowdfense using our Vulnerability Research Hub (VRH) platform. Initial submission must include the required specifications, necessary to evaluate your submission, alongside a video POC. All final submissions must include a fully functional exploit with source code, a technical analysis including a description of the root cause of the bug(s) and exploitation method(s).
The amount paid depends on multiple variables:
  • How widespread is the software/hardware? Popular products typically reach higher amounts.
  • The scope of the bug(s) (affected products, criticality, attack vector, required configuration, user interaction, limitations, etc)
  • The quality of the exploit (reliability, bypassed exploit mitigations, covered versions/systems/platforms, process continuation, no hardcoded offsets or ROP, etc).
For example, if you find an unauthenticated remote code execution (RCE) vulnerability, you would be paid substantially more than for a privilege escalation (LPE/EoP) vulnerability.
Sure, you can receive a pre-offer for your research without disclosing it. Simply submit minimal technical details alongside a video POC on our Vulnerability Research Hub (VRH) platform. We will evaluate the details and send you a pre-offer if the research meets our requirements. The offer will be confirmed after we review, assess and approve the complete research.
Any company or individual can submit zero-day research and participate in our Exploit Acquisition Program .