About Bounties

The Vulnerability Research Hub (VRH) is Crowdfense’s exclusive, private platform designed for top-tier security researchers. It provides a secure and confidential environment to:

  • Anonymously submit and manage zero-day vulnerabilities and exploit chains

  • Collaborate with our technical team throughout the evaluation process

  • Track submission status and access exclusive private bounties and bonuses

Whether you're submitting a single exploit or building a long-term relationship, VRH is your gateway to maximise rewards and engage safely with the world’s most trusted acquisition platform.

To learn more, visit our researchers page or sign-up on VRH.

Submitting your vulnerability research to Crowdfense is a secure and streamlined process designed to protect your work, ensure fair evaluation, and deliver prompt rewards.

All submissions are handled through our Vulnerability Research Hub (VRH), our private, encrypted platform built exclusively for trusted researchers.

Submission Process Overview

01. Enrol on VRH
Sign up on the Vulnerability Research Hub (VRH) to initiate the submission process in a secure and confidential environment.

02. Preliminary Contact
Submit minimal technical details and a video proof-of-concept (PoC) demonstrating the exploit’s capabilities.

03. Technical Evaluation & Negotiation
Crowdfense reviews the submission and gathers further information about the exploit’s features, constraints, and impact.
If aligned with client interest, a preliminary offer is extended to the researcher.

04. Contract Signature
Once the offer is accepted, both parties enter into a formal acquisition agreement, which defines the terms of exclusivity, ownership, and payment.

05. PoC Submission & Acceptance Testing
You provide the full exploit package, including:

  • Source code
  • Technical analysis
  • Root cause explanation
  • Exploitation methodology

Crowdfense then performs a thorough validation and acceptance test.

06. Payment
Upon successful validation, the agreed payment is released using your preferred method (e.g., bank transfer or cryptocurrency).

The payout depends on several key factors, including:

  • Target popularity: Vulnerabilities in widely deployed software or hardware receive significantly higher rewards.

  • Bug impact and scope: The more critical the vulnerability (e.g., RCE vs. LPE), and the broader the affected products or platforms, the higher the value.

  • Exploit quality: We assess the reliability, sophistication, and completeness of your exploit:

    • Bypasses exploit mitigations

    • Works across multiple versions/platforms

    • Requires minimal/no user interaction

    • No hardcoded offsets or fragile techniques

    • Supports process continuation (where applicable)

Example:

An unauthenticated remote code execution (RCE) vulnerability with a robust, cross-version exploit will earn significantly more than a local privilege escalation (LPE) with limited reach.

Crowdfense consistently pays the highest bounties in the industry, with payouts designed to match the real-world impact of your research.

Yes, and unlike many other platforms, Crowdfense never requires you to disclose your full research, source code, or intellectual property before a formal agreement is in place.

To receive a preliminary offer, simply submit via our secure Vulnerability Research Hub (VRH)

  • Minimal technical specifications

  • A video proof-of-concept (PoC)

These details are sufficient for Crowdfense and our clients to conduct a preliminary evaluation and assess interest.

If your submission meets our criteria, we’ll issue a pre-offer. The complete research package, including source code, documentation, and technical analysis, is only required after both parties sign a formal acquisition contract.

This ensures you maintain complete control of your intellectual property until terms are clearly defined and agreed upon.

Any individual researcher or company with original zero-day research is welcome to participate in our Exploit Acquisition Program.

We work with both independent experts and established teams from around the world. As long as the submission is legitimate, high-quality, and meets our criteria, you’re eligible to engage with us and be rewarded accordingly.