Help Wanted

Attention Hackers:

So, as you may or may not know, Bugcrowd runs a large number of private programs that aren’t publicly visible. These private programs range from testing webapps, to APIs, to reverse engineering binaries/desktop apps, to network pentests, and even some testing on IoT devices!

That said, sometimes these programs need some pretty specific skillsets that may not be too common – that’s where this page comes in. Listed below are some vague, but useful details on some private programs that Bugcrowd is running, that we’d like to add some more talented researchers to, if you’re interested.

If you’re looking to participate in any of the below, please fill out the associated Google form – and be sure to include your background, why you’re a good fit for the program, and so on (this is required – if you don’t put effort into explaining why you should be on a program, it’s unlikely that you’ll put effort into the program itself; we won’t respond to any request that doesn’t offer reasonable justification for why you’d be a good researcher to put on the program). From there, we’ll reach out directly and see about getting you added, or ask for additional information as needed.

Please note that these programs will change, and often some programs will only be available for a short period of time, since there’s often a limited number of devices, credentials, etc. Good luck and happy hunting!


Current Programs:


A bug bounty program for serious gamers (Windows platform only) – added 4/13/18

If you’re a serious gamer with the interest and skills (in this case, strong reverse engineering) to find security vulnerabilities in a Windows game platform, then there’s a bug bounty program for you! If you’d like to participate on this program, please complete the following form. Good luck and happy hunting!

Rewards are up to $10K for valid, critical security vulnerabilities.

Google form link


A data management system (reverse engineering/webapp/general pentesting) – updated 4/16/18

We’re running a program on a data management system that researchers will VPN into, and then have access to their own custom environment with a variety of available targets. There’s a webapp interface, command line interface, and a number of hosts running on a /26 subnet.

The system will be a UNIX based storage appliance with the following services:


Additionally, the system offers multi-tenant capabilities and we’re specifically interested in multi-tenancy violations such as administrators crossing tenants allowing for information disclosure.

Strong penetration testing, reverse engineering, and exploit development skills are advised. Feel free to reach out to if you have any questions. Thanks!

Objectives: any/all valid security vulnerabilities.

Maximum payout: $15,000

Google form link


An iOS only car management application – added 12/5/17

This mobile application is used for managing and interacting with one’s vehicle. It’s important to note that a) only issues relating to the app itself are in scope (e.g. the services it interacts with are not in scope); and b) this app is protected by Arxan, and as such, places where researchers are able to bypass the obfuscation to find security issues are of particular interest. Strong mobile skills are highly encouraged.

Objectives: any/all valid mobile security issues.

Maximum payout: $5,000

Google form link


 An endpoint desktop application (windows only)

This application can be run inside a VM, but it must be a windows VM. This is an endpoint desktop application that will require strong reverse engineering skills to be effective against.

Objectives: local privilege escalation; code execution; DoS/crashing/bypassing the endpoint service.

Maximum payout: $40,000

Google form link



An installed service + associated webapp

A well tested and mature enterprise application, this program consists of a binary + webapp that can be evaluated for both web issues, as well as issues such as buffer overflows, etc. This does require some setup to get going, but nothing complicated.

Objectives: code execution, privilege escalation, SSRF, any/all webapp vulnerabilities

Maximum payout: $10,000

Google form link