The Dubai-based exploit buyer said on Thursday that the new Vulnerability Research Platform (VRP) will provide an area for “vulnerability researchers to safely submit, discuss and quickly sell single zero-day exploits and chains of exploits.”
Crowdfense purchases vulnerabilities and exploit chains in order to sell them on to “global institutional customers,” which may include government entities or law enforcement.
Due to open on September 3, the platform is meant to streamline the process of submitting valid security flaws by offering step-by-step guides, technical evaluations, pricing and follow-up communication channels.
“Through the VRP, Crowdfense experts work in real time with researchers to evaluate, test, document and refine their findings,” said Andrea Zapparoli Manzoni, Director of Crowdfense. “The findings can be both within the scope of Crowdfense public bug bounty program or freely proposed by researchers.”
Crowdfense’s bug bounty program, launched earlier this year, offers financial rewards ranging from $500,000 to $3 million for zero-day bugs as well as partial exploit chains.
The market for zero-day exploits is lucrative. One of Crowdfense’s main competitors is Washington, D.C-based Zerodium, a private exploit seller which became well-known after offering up to $1.5 million for iPhone zero-day flaws, $1 million for vulnerabilities which could be used to compromise the Tor network and $500,000 for unknown security flaws in popular messaging applications.
“This process-centric approach ensures a faster time-to-market for sellers and higher quality products for customers since all assets are delivered with the Crowdfense stamp of approval and are fully tested, document and vetted in advance,” the company says. “The VRP is committed to becoming a standardized, user-friendly tool for vulnerability researchers and brokers who want to speed up and simplify the process for evaluating and trading zero-day capabilities within a highly confidential, legal and financially lucrative platform.”