- Our focus is mainly operating systems, mobile and web browsers, we will buy most disclosures in and around our scope.
- Our scope changes with new and removed products – so what you see today may not be there tomorrow. Follow us on twitter for the latest scope changes.
- Our partners and vendors are usually looking for unknown vulnerabilities, so our focus is on Code execution, Command execution, Authentication bypass.
- We pay more than bug bounty programs.
- If a vendor does not have a bug bounty program – we are still interested in acquiring the vulnerability and reporting it to the vendor.
- We believe researchers need to get paid for their effort and we are willing to offer higher rewards.
- We will handle all the reporting process.
- We will publish your research and attribute it per your instructions.
- How widespread is the software/hardware? Popular products typically reach higher amounts.
- How critical is the vulnerability? For example, if you find an unauthenticated arbitrary code execution vulnerability, you would be paid substantially more than for a Cross Site Scripting vulnerability.
We do accept bugs outside our list but will have to suggest it to the client first and get their approval before drilling down.
Got a vulnerability not on our scope? Send us an email, we can still help: firstname.lastname@example.org
We take the privacy of researchers very seriously and will never disclose any information to any third party (including customers) including any personal information about researchers such as names, aliases, email addresses, bank details, or any other personal or confidential information.
- You send us a brief description of the vulnerability.
- We may follow up with questions.
- We sign a contract.
- You send us the vulnerability.
- Our technical team verifies the vulnerability.
- We contact the vendor.
- You get paid.
- The vulnerability is responsibly disclosed and published.
- The vendor signs a contract with SSD – before we provide any disclosure information. In most cases, they will not back from a contract.
- In some cases, we will buy your findings without the company being involved since we use the product or feel it is appropriate to do so to ensure the safety of its users.
- Many of the vendors we work with will not directly communicate with researchers rather are looking for companies like ours to provide them with the onboarding and act as a broker between the researcher and the company.
- We can usually get our researchers the highest compensation, as we have our name and trustworthy reputation.
- We acquire vulnerabilities for some vendors, even if the vendor is not interested in buying them.
- We believe the personal touch – your submissions are managed and handled by our client and tech teams.
- We give you the option to stay anonymous when submitting your findings. No strings attached.
- Most vendors will not pay for all types of vulnerabilities
- Many of our pay-outs exceed that which vendors will negotiate.
- In some cases, handling by vendors can go badly, with many examples are out there. We act as the buffer.
Please refer to https://ssd-disclosure.com/submit/ or use this template to speed confirmation of your discovery:
- Vulnerability Title
- Date of submission
- Description of Product (from vendor/site)
- Description of Vulnerability
- 4.1 Title
- 4.2 Product
- 4.3 Version
- 4.4 Homepage
- 4.5 Binary Affected
- 4.6 Binary Version
- 4.7 Binary MD5
- Configuration Requirements
- Vulnerability Requirements
- Vulnerability Summary Information
- 7.1 Vulnerability Class
- 7.2 Affected Versions Tested
- 7.3 Affected Versions Assumed (explain assumption)
- 7.4 Unaffected Versions
- 7.5 Affected Platforms Tested (Windows, Linux, 32bit, 64bit, 10 RS1, 10 RS2, 2016, Ubuntu, etc.)
We welcome you to join our referral program where we reward you with up to $10,000 USD per researcher you refer & start working with us. Contact us using the form below to learn more about the program.