Limited-Time Bug Bounties

Introduction

Additionally to our permanent bounties, we are looking, from to time, to acquire other zero-day exploits that are not within our usual scope or for which we are temporarily increasing the payouts. In some cases, we may pay each bounty multiple times to acquire distinct exploits for the same software.


Current Temporary Bounties

VMware vCenter Server RCE

  • Status: Active
  • Target: VMware vCenter Server
  • Bounty: Up to $100,000
  • Start Date: 5 July 2021
  • End Date: 30 September 2021
VMware vCenter Server RCE

We are looking for pre-authentication exploits affecting recent versions of VMware vCenter Server. The exploit should allow remote code execution, work with default installations and default ports/services, and should not require any authentication or user interaction.


Submit Now

Moodle RCE

  • Status: Active
  • Target: Moodle
  • Bounty: Up to $25,000
  • Start Date: 15 June 2021
  • End Date: 31 August 2021
Moodle RCE

We are looking for pre-authentication exploits affecting recent versions of Moodle. The exploit should allow remote code execution, work with default installations and should not require any authentication or user interaction.


Submit Now

Pidgin RCE

  • Status: Active
  • Target: Pidgin
  • Bounty: Up to $100,000
  • Start Date: 1 June 2021
  • End Date: 31 August 2021
Pidgin RCE

We are looking for remote code execution exploits affecting recent versions of Pidgin on Windows and/or Linux. The exploit should work with default installations and should not require any user interaction other than reading a message.


Submit Now

ISPConfig Pre-Auth RCE

  • Status: Active
  • Target: ISPConfig
  • Bounty: Up to $50,000
  • Start Date: 22 April 2021
  • End Date: TBD
ISPConfig RCE

We are looking for pre-authentication exploits affecting recent versions of ISPConfig. The exploit should allow remote code execution, work with default installations and should not require any authentication or admin interaction.


Submit Now

WordPress Pre-Auth RCE

  • Status: Active
  • Target: WordPress
  • Bounty: Up to $300,000
  • Start Date: 31 March 2021
  • End Date: TBD
WordPress RCE

We are temporarily increasing our payout for WordPress RCEs from $100,000 to $300,000. We are looking for pre-authentication exploits affecting recent versions of WordPress. The exploit should allow remote code execution, work with default installations and should not require any authentication or user interaction.


Submit Now


Expired Temporary Bounties

IceWarp

  • Status: Expired
  • Target: IceWarp
  • Bounty: Up to $60,000
  • Start Date: 15 June 2021
  • End Date: 30 June 2021
IceWarp RCE

We are looking for pre-authentication exploits affecting recent versions of IceWarp email server for Windows. The exploit should allow remote code execution on Windows, work with default installations and should not require any authentication or user interaction.


SAP NetWeaver

  • Status: Expired
  • Target: SAP NetWeaver
  • Bounty: Up to $50,000
  • Start Date: 26 August 2020
  • End Date: 30 September 2020
SAP NetWeaver

We are looking for pre-authentication RCEs or authentication bypass exploits affecting recent versions of SAP NetWeaver. The exploit should allow either remote code execution or authentication bypass, work with default installations and should not require any authentication or user interaction.

VMware ESXi

  • Status: Expired
  • Target: VMware ESXi
  • Bounty: Up to $500,000
  • Start Date: 5 March 2019
  • End Date: 30 June 2019
VMware ESXi

We are temporarily increasing our payout for VMware ESXi RCEs from $200,000 to $500,000. We are looking for guest-to-host escape exploits affecting recent versions of VMware ESXi. The exploit should allow VM escape (Windows or Linux VM) and work with default installations.