Throughout October, November and December 2016, we challenged our crowd to submit bugs against some challenging targets–thick client applications. Previously we announced our October and November winners and today we’re excited to announce our two final two winners:

Congratulations to our winner for the month of December, @ctus,  and to our final winner, @Mongoxgas.

Our response to the promotion was so positive, we’ve decided to extend it until March 2017–and have increased the reward pool! Check out the details below for all the good stuff.

Contest Details:

From January 1st through March 31st, every valid and non-duplicate vulnerability submitted against thick client targets will be entered a drawing for a total of $2500 cash prizes.

  • Each valid submission equals one entry into the drawing. If you’ve submitted five valid bugs, you will get five entries! (By submitting valid client-side and thick client vulnerabilities, you may also qualify to receive invitations to private client-side and thick client testing programs. Read more about how we measure researcher performance.)
  • One winner will be selected for submissions triaged in January, one winner for February’s submissions, and one winner for March’s. Note: the same submitter can receive all three of these drawings, winning up to $1500. 
  • A fourth and final winner will be selected from the entire pool of previous, non-winning submissions.

How to Get Started:

Email us at and let us know that you are interested in thick client software testing! 

Start testing on the following public programs that are running:

  • ALL of the targets included in the following briefs qualify for this program:
    • Avira – Client Software
    • AVG Technologies – Client Side Application
    • WHMCS – Software installation package
  • SOME of the targets included in the following briefs qualify for this program. Please be aware of which target you are submitting against!
    • Fitbit – Win10 Desktop Application
    • LastPass – Desktop Application
    • OWASPZAP – Desktop Application
    • PureVPN – Desktop Applications
    • SplashID – Desktop Applications
    • Sophos – Desktop Client

New to thick client software testing? Let us know in your email and we’d be happy to send you some online resources to help you get started. Our Application Security Engineering team put together their favorite go-to resources, like Hacking – the Art of Exploitation (2nd edition) or Hacker Disassembling Uncovered. Want to try out some of your new skills before you tackle a bounty? Try the Embedded Security CTF!

Feel free to reach out to with any additional questions.

Happy Hunting!!