Now on Demand: Threat Detection and Incident Response (TDIR) Summit - All Sessions Available
Connect with us

Hi, what are you looking for?



Company Offering $30 Million for Android, iOS, Browser Zero-Day Exploits

Crowdfense has announced a $30 million exploit acquisition program covering Android, iOS, Chrome, and Safari zero-days.

Exploit acquisition

Exploit acquisition firm Crowdfense is offering a total of $30 million for zero-day exploits targeting Android, iOS, Chrome, and Safari.

Founded in 2017, Crowdfense describes itself as “a research hub and acquisition platform for high-quality zero-day exploits and advanced vulnerability research”.

In 2019, the company announced an exploit acquisition program for Android and iOS zero-day vulnerabilities, offering payouts of up to $3 million for full-chain, previously unreported exploits.

This year, the firm has revealed significantly higher rewards as part of the program, offering bounties of up to $9 million for zero-click full chain exploits deliverable via SMS or MMS messages.

Researchers able to deliver zero-click full chain exploits for Android may earn as much as $5 million, while those identifying similar zero-days in iOS could receive as much as $7 million for their findings, Crowdfense says.

Exploits leading to remote code execution and sandbox escape on iOS could earn researchers up to $3.5 million.

The company is willing to pay between $2 million and $3 million for Chrome exploits leading to remote code execution and local privilege escalation, and $2.5 million to $3.5 million for similar exploits targeting Safari.

Crowdfense is also offering hundreds of thousands of dollars for less impactful sandbox escape exploits targeting Chrome and Safari.

Advertisement. Scroll to continue reading.

According to the company, only fully functional, top-quality zero-day exploits will be evaluated as part of the program.

“Payouts for full-chains or previously unreported, exclusive capabilities, range from USD 10,000 to USD 9 million per successful submission. Partial chains will be evaluated on a case-by-case basis and priced proportionally,” Crowdfense announced.

Crowdfense is not the only firm looking to acquire Android and iOS exploits. Last year, Russian zero-day acquisition firm Operation Zero announced it was willing to pay up to $20 million for full exploit chains targeting the iOS and Android mobile platforms, claiming “high demand on the market”.

Related: Tesla, OS, Software Exploits Earn Hackers $1.1 Million at Pwn2Own 2024

Related: Pwn2Own Automotive: Hackers Earn Over $700k for Tesla, EV Charger, Infotainment Exploits

Related: Zerodium Offering $400,000 for Microsoft Outlook Zero-Day Exploits

Written By

Ionut Arghire is an international correspondent for SecurityWeek.


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.


SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.


People on the Move

Wendy Zheng named as CFO and Joe Diamond as CMO at cyber asset management firm Axonius.

Intelligent document processing company ABBYY has hired Clayton C. Peddy as CISO.

Digital executive protection services provider BlackCloak has appointed Ryan Black as CISO.

More People On The Move

Expert Insights