Limited-Time Bug Bounties

Introduction

Additionally to our permanent bounties, we are looking, from to time, to acquire other zero-day exploits that are not within our usual scope or for which we are temporarily increasing the payouts. These temporary bounties remain active until their expiration date regardless of the number of submissions received or exploits acquired.


Current Temporary Bounties

IceWarp RCE

  • Status: Active
  • Target: IceWarp
  • Bounty: Up to $60,000
  • Start Date: 15 June 2021
  • End Date: 30 September 2021
IceWarp RCE

We are looking for pre-authentication exploits affecting the latest version of IceWarp email server for Windows. The exploit should allow remote code execution on Windows, work with default installations and should not require any authentication or user interaction.


Submit Now

Moodle RCE

  • Status: Active
  • Target: Moodle
  • Bounty: Up to $25,000
  • Start Date: 15 June 2021
  • End Date: 31 August 2021
Moodle RCE

We are looking for pre-authentication exploits affecting the latest version of Moodle. The exploit should allow remote code execution, work with default installations and should not require any authentication or user interaction.


Submit Now

Pidgin RCE

  • Status: Active
  • Target: Pidgin
  • Bounty: Up to $100,000
  • Start Date: 1 June 2021
  • End Date: 31 August 2021
Pidgin RCE

We are looking for remote code execution exploits affecting the latest version of Pidgin on Windows and/or Linux. The exploit should work with default installations and should not require any user interaction other than reading a message.


Submit Now

ISPConfig Pre-Auth RCE

  • Status: Active
  • Target: ISPConfig
  • Bounty: Up to $50,000
  • Start Date: 22 April 2021
  • End Date: TBD
ISPConfig RCE

We are looking for pre-authentication exploits affecting the latest version of ISPConfig. The exploit should allow remote code execution, work with default installations and should not require any authentication or admin interaction.


Submit Now

WordPress Pre-Auth RCE

  • Status: Active
  • Target: WordPress
  • Bounty: Up to $300,000
  • Start Date: 31 March 2021
  • End Date: TBD
WordPress RCE

We are temporarily increasing our payout for WordPress RCEs from $100,000 to $300,000. We are looking for pre-authentication exploits affecting the latest version of WordPress. The exploit should allow remote code execution, work with default installations and should not require any authentication or user interaction.


Submit Now


Expired Temporary Bounties

SAP NetWeaver

  • Status: Expired
  • Target: SAP NetWeaver
  • Bounty: Up to $50,000
  • Start Date: 26 August 2020
  • End Date: 30 September 2020
SAP NetWeaver

We are looking for pre-authentication RCEs or authentication bypass exploits affecting the latest versions of SAP NetWeaver. The exploit should allow either remote code execution or authentication bypass, work with default installations and should not require any authentication or user interaction.

VMware ESXi

  • Status: Expired
  • Target: VMware ESXi
  • Bounty: Up to $500,000
  • Start Date: 5 March 2019
  • End Date: 30 June 2019
VMware ESXi

We are temporarily increasing our payout for VMware ESXi RCEs from $200,000 to $500,000. We are looking for guest-to-host escape exploits affecting the latest versions of VMware ESXi. The exploit should allow VM escape (Windows or Linux VM) and work with default installations.