As the bug bounty space has matured, the range of targets to test against has expanded and diversified incredibly. Our programs offer a broad range of targets, from web and mobile, to APIs and IoT devices (even cars)! Over the last several months, Bugcrowd has launched more and more bounty programs that feature thick client applications.

Whether you have skills in testing thick client software, or want to expand your expertise, Bugcrowd has several public programs and numerous private programs available for you to hack on for fun and profit. This quarter we’re running a limited time promotion for all submissions found in thick client applications.  

Contest Details:

From October 1st through December 31st every valid and non-duplicate vulnerability submitted against thick client targets will be entered a drawing for four $500 cash prizes.

  • Each valid submission equals one entry into the drawing. If you’ve submitted five valid bugs, you will get five entries! (By submitting valid client-side and thick client vulnerabilities, you may also qualify to receive invitations to private client-side and thick client testing programs. Read more about how we measure researcher performance.)
  • One winner will be selected for submissions triaged in October, one winner for November’s submissions, and one winner for December’s. Note: the same submitter can receive all three of these drawings, winning up to $1500. 
  • A fourth and final winner will be selected from the entire pool of previous, non-winning submissions.

How to Get Started:

Email us at and let us know that you are interested in thick client software testing! New to thick client software testing? Let us know in your email and we’d be happy to send you some online resources to help you get started.

Start testing on the following public programs that are running:

  • ALL of the targets included in the following briefs qualify for this program:
    • Avira – Client Software
    • AVG Technologies – Client Side Application
    • WHMCS – Software installation package
  • SOME of the targets included in the following briefs qualify for this program. Please be aware of which target you are submitting against!
    • Fitbit – Win10 Desktop Application
    • LastPass – Desktop Application
    • OWASPZAP – Desktop Application
    • PureVPN – Desktop Applications
    • SplashID – Desktop Applications
    • Sophos – Desktop Client

New to thick client software hacking or got skills and want to multiply them? Our Application Security Engineering team put together their favorite go-to resources, like Hacking – the Art of Exploitation (2nd edition) or Hacker Disassembling Uncovered. Want to try out some of your new skills before you tackle a bounty? Try the Embedded Security CTF!

Feel free to reach out to with any additional questions.

Happy Hunting!!