Mystery Company Offers $250,000 Bounty for VM Escape Vulnerabilities

An unnamed firm is paying up to $250,000 for vulnerabilities related to its virtualization platform.

An unnamed company will start an eight-week, invite-only bug bounty program in September that offers a $250,000 payout for virtual-machine escape vulnerabilities tied to an unreleased product.

Bugcrowd announced the program today, and said the high-priced bounty is the largest advertised bounty on a third-party platform.

“This top-secret program is a hybrid approach. It allows the organization to recruit more top talent—security experts that specialize in the company’s unique attack surface,” said Casey Ellis, CEO of Bugcrowd.

The $250,000 payday reflects growing momentum behind bug bounty programs that are increasingly becoming mainstream tools for companies such as Microsoft, Google, Facebook and Apple who are recruiting white hat hackers to find bugs.

Last month, Microsoft announced a Windows bug bounty program with the top payout of $250,000 for anyone who’s able to discover hypervisor and host kernel remote code execution vulnerabilities in Microsoft Hyper-V, the company’s virtualization software. At Black Hat last year, Apple announced a $200,000 private bounty program, while exploit vendor Zerodium shortly thereafter offered a $1.5 million bounty for iOS10 remote jailbreak exploits.

The so called “Super-Secret” Bugcrowd bounty program is invite-only and requires participating researchers to submit “a report of their efforts, what was attempted, ideas for a potential compromise, and any other relevant information (regardless of whether or not they achieved the stated objectives),” according to the company. The top five reports that fail to find a bug, however demonstrate effort and expertise, will be rewarded $10,000, as a level of compensation for work done, according to the company.

The program lasts eight weeks, starting early September and lasting through October. According to the bounty website, 27 participants have already joined the program.

The top $250,000 bounty paid out by the masked company is for “guest escape vulnerabilities that lead to code execution in the virtualization platform itself” and a “guest escape vulnerabilities that lead to code execution in another instance.”

The same program pays $100,000 for bugs tied to vulnerabilities that leak memory contents and code from the virtualization platform. In addition, a $25,000 bounty is paid to vulnerabilities related to unintended network access to control-plane infrastructure issues.

“High rewards like this speak to the growing momentum behind bug bounties and the maturity of the (not so niche) market,” Ellis said.

According to HackerOne, a Bugcrowd competitor, its average dollar payouts to participants are up 16 percent from 2015’s average of $1,624. The highest bug bounty currently offered by HackerOne was $50,000 for critical vulnerabilities.

Suggested articles


  • Bob on

    It is not a high reward if it can replace a beta tester's annual paycheck for x number of years, only to come up with nothing. It doesn't inspire confidence when a high school student smokes you. Agile has been abused for the sake of delivery and/or profit.
    • Tester on

      I am sure these companies still have security testers on the payroll. But why hire another tester when bug bounties have been proven to be more fruitful? You can have 100 eyes looking at the same application for the price of one. You would do the same thing as a business owner.
  • john b on

    Don't be surprised when a working proof of concept is weaponized to take infect all ypur VMs. Probanky a gov agency looking for more "tools".

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.