The Exodus Intelligence
Program was formed by a team of world-class researchers who understand the time and effort required to discover and exploit vulnerabilities. The EIP was created to provide compensation to individuals for such research, especially in the situations where the affected vendor has no such reward program in place. The team at Exodus strives not only to work with the contributor and with the vendor to get bugs fixed, but to provide the participants with insight into how the reported flaw was reverse engineered and validated as exploitable by our team.
All information acquired through the EIP is distributed to our clients in the form of a subscription-based feed. To answer some common questions, please refer to our FAQ
You can contact us by e-mailing firstname.lastname@example.org
. Please use our PGP
What software do you purchase vulnerabilities in?
Most major/widely deployed software packages, of course we're not intimately familiar with every piece of software in existence so any supporting data you can provide regarding the software's popularity is helpful in making our purchasing decision. We almost never buy vulnerabilities for in-house developed applications or single site deployments (facebook, gmail, etc..).
What if two people indepedently discover and report the same vulnerability?
We will make a monetary offer only to the first. If the secondary reporter accepts our offer we will contact the vendor and request dual credit on their public advisory for both researchers.
How much will you pay for a bug in X product?
We do not offer estimates prior to reviewing the vulnerability details in their entirety.
Will I recieve credit as the initial discoverer of a reported vulnerability?
Yes you will. We have a good relationship with most major software vendors and typically have no issues with getting the appropriate party credited on their public advisory, notification, or patch notes.
What if I dont want to be credited? I wish to remain anonymous.
This is not an uncommon request and we will ensure your anonymity.
Are there any restrictions on who can contribute to the the EIP?
We do require a valid government issued ID for payment and tax purposes. Additionally, we do not currently accept submissions from individuals residing in the following countries: North Korea, Iran, Cuba, and Syria.
What payment methods are available?
Wire Transfer, Payment via Mail (Check), and Western Union.
What additional benefits are available for frequent contributors to the EIP?
We have a benefits program and other perks detailed here
How long after submitting a report will I receive an offer?
While times do vary we aim to complete our initial analysis and get an offer out within 10 business days.
What happens to my report after I submit it?
Your submission will be assigned to an analyst in the order it was recieved, we evaluate the report for the following characteristics:
What if I dont accept the offer?
- Software Relevance. Is it widely used?
- Uniqueness, is the submission a duplicate of another independent discovery?
- Exploitability, is the bug actually a security risk?
If you do not wish to accept our offer to acquire, you are free to do whatever you wish with the reported vulnerability. We will destroy any data we have pertaining to it and it will not be reported, disclosed, or discussed.
What happens if I accept the offer?
Upon acceptance of our offer you agree not to discuss or disclose information pertaining to the reported vulnerability for 1 year following the public disclosure of the vulnerability. Our analysts will prepare and document the vulnerability so we can provide the vendor or software maintainer with ample details and ongoing support to aid in a quick patch turnaround.
Do you report all contracted reports to their respective vendors?
Yes, every vulnerability contracted through the EIP is disclosed.
But !exploitable said 'Exploitability Classification: EXPLOITABLE'?
Having participated in vulnerability purchasing as both contributors as well as analysts, our team understands how frustrating response time can be. One of our core objectives with the EIP is to ensure that all contributors are actively updated about their submissions whether they query us or not.
All submissions (that aren't awaiting responses for more information or delayed due to testing environment issues) will be analyzed and decided upon within 10 business days.
Scope of Acceptance
The valuation of your hard work greatly depends on what the purchasing party will be using it for. As we provide an intelligence feed (and dont support a product), we are able to expand the scope of vulnerabilities that we are interested in procuring. Local vulnerabilities, exploitation techniques, memory disclosures, and other issues will be considered.
For every accepted submission, we intend to provide the contributor with detailed analysis of their vulnerability (if they weren't able to research such information themselves). This may be in the form of a question/answer e-mail thread, a ToolBag
DB file, or a re-factored proof of concept.
Most (but not all) contributors are very much interested in the monetary valuation of their work. We intend to ensure our offers are more than competitive when compared to other such programs.
When a particularly interesting vulnerability comes through the EIP, we will publish a blog entry detailing the issue and giving the researcher credit (if they do not wish to be anonymous).
The top 4 researchers (tallied by the number of accepted contributions) will be awarded $20,000 USD each. The clock starts the day EIP was launched (6/20/12) and the winners will be determined that time the following year.
Collaborative Hacking Event
The top 5 researchers (tallied by the number of accepted contributions) will be invited to an as-yet undisclosed location where the Exodus team will host a collaborative hacking event. We will provide travel, lodging, and the target software configured and ready for everyone to attack. Attendees will be able to work alongside each other and our team to uncover vulnerabilities while enjoying a free bar tab and subsequent after party.
: Official EIP Launch
We are excited to announce that the Exodus Intelligence Program is officially accepting submissions. To contribute, please login
: EIP August Incentives
Now offering incentives for all cases submitted during the month of August, full details available on our blog.
: Accepting PGP Digital Signatures
We are now accepting digital signatures for offered cases given the following criteria is met: the key used to verify the signature is submitted via the EIP portal and the required proof of identity (government issued ID) is signed with the same key id.