Bug Bounty Offers Big Bucks
Researcher could win up to $3 million.
A bug bounty program worth a total of $10 million aims at acquiring and developing active cyber-defense capabilities for some of the most popular software programs for Windows, MacOS, iOS and Android. The public program is offering payouts focusing on quality over quantity to identify and address some of the toughest problems.
Crowdfense Limited, a vulnerability research hub, is sponsoring the program. Payouts for full-chain, previously unreported, exclusive capabilities range from $500,000 to $3 million per successful submission. Partial chains will be evaluated on a case-by-case basis and rewarded proportionally. The company will only evaluate fully functional zero-day exploits affecting specific platforms and products, including Windows Chrome remote code execution, Sandbox Escape; and MacOS Safari remote code execution, Sandbox Escape.
The first researcher who submits indisputable proof of a fully working chain within the scope of the bounty program will receive a 10 percent bonus of the designated payout. Researchers also are invited to submit their original work about other products’ working vulnerabilities, which will be evaluated on a case-by-case basis.
"We work only with the best vulnerability researchers, focusing on very select capabilities with a highly structured and scientific approach," states Andrea Zapparoli Manzoni, director, Crowdfense. "Now that this originally underground practice has become a strategic high-tech industry, it is necessary to implement good business processes, checks and guarantees for all the parties involved. That is why we built Crowdfense: The market needed a neutral, reliable, law-abiding, process-driven partner to deliver top-quality active cyber-defense capabilities."
A global team of cybersecurity experts, researchers and lawyers developed the company in 2017 to work on some of the largest cyber defense challenges organizations and countries face today. The company plans to offer private challenges to selected researchers through its vulnerability research platform, which will be available later this year.