UAE bug bounty company Crowdfense has announced the launch of a Vulnerability Research Platform (VRP) to allow security researchers to submit zero-day exploits for sale.
The VRP will create an anonymous, web-based platform where vulnerability researchers to safely submit, discuss and quickly sell single zero-day exploits and chains of exploits.
The platform is intended to give researchers a quicker way to monetize zero day vulnerabilities they have discovered, and for Crowdfense customers to source higher quality experts.
The company announced the VRP, which is due for launch on 3rd September, at the recent Black Hat security conference.
Speaking to media before the launch, Andrea
Zapparoli Manzoni, director of Crowdfense, said that the company has paid $5m
in bounties since its launch in April, with a highest single bounty of $1.5m. Payments have typically been around $100,000, Manzoni added.
Abu-Dhabi registered Crowdfense was established to professionalise the trade in zero day exploits, and to become a trusted broker for legitimate law enforcement and security agencies to source exploits to conduct surveillance. The company says it only trades in a very narrow set of vulnerabilities in operating systems and web browsers, and will not deal with cyberweapons or financial theft, among others. It also says it will only sell those exploits to carefully-vetted government clients.
The company said that the will allow Crowdfense experts to work in real time with researchers to evaluate, test, document and refine their findings, either within the scope of Crowdfense public Bug Bounty Program or freely proposed by researchers (for a specific set of key targets).
The platform has a streamlined set of workflows, with maximum OpSec for all participants. It is based on a zero-trust model and offers a reduced attack surface, anonymity (if desired), full E2E encryption and several other advanced security features, both client and server side.
The VRP v1.0 features include account and keys management and step-by-step workflows for the submission, technical evaluation and discussion of vulnerabilities, contracting and pricing definition, follow-up and maintenance of 0day capabilities over time.
Crowdfense said the platform has been developed following private beta testing with support from ethical hackers, vulnerability research teams and selected brokers, with the aim of defining new best practices for the zero day market.