Crowdfense officially launched the Vulnerability Research Hub out of beta. After being internally developed and fine-tuned for several months, Crowdfense opened their process-oriented platform to a wider audience of researchers and brokers interested in trading 0day cyber capabilities, which can be both within the scope of Crowdfense public Bug Bounty Program or freely proposed (for a specific set of key targets).
“This is our next step in standardizing and supporting the development of what has now become a strategic industry,” said Andrea Zapparoli Manzoni, Director of Crowdfense. “This is not a “dark market” anymore. Our platform helps the best researchers in the world to professionally and securely submit, discuss, test, contract and receive enticing payments for their 0day findings, in an ordered and secure way. Early testers have been extremely satisfied by the unique partnership, testing and payment opportunities we provide.”
How the Crowdfense Vulnerability Research Hub works
The platform allows researchers to submit 0day capabilities which are then reviewed together with the Crowdfense team. Once a submission is substantiated, Crowdfense works with the researcher to contract for final deliverable, test the code and award the bounty.
This process-centric approach ensures a faster time-to-market for sellers and higher quality products for customers, since all assets are delivered with the Crowdfense stamp of approval and are fully tested, documented and vetted in advance.
Technically, the platform is organized into a streamlined set of workflows, with maximum OpSec for all participants. It is based on a zero-trust model and offers a reduced attack surface, anonymity (if desired), full E2E encryption and several other advanced security features, both client and server side.
The VRH 1.0 features include account and keys management and step-by-step workflows for the submission, technical evaluation and discussion of vulnerabilities, contracting and pricing definition, follow-up and maintenance of 0day capabilities over time.
According to its mission, Crowdfense is only interested in evaluating exploits that allow government agencies to lawfully find and extract information from specific targets and is not purchasing 0days which can be deployed to disrupt or damage critical systems. This applies equally to the Bug Bounty Program and the VRH.
The Vulnerability Research Hub launch comes just five months after Crowdfense announced their $10 Million Public Bug Bounty program, which is the largest in the world. Their Bug Bounty Program has received a substantial number of responses and the company has paid out over $5M in a short time.
A word from the Director
Speaking with Help Net Security, Andrea Zapparoli Manzoni offers more information on the Vulnerability Research Hub: