Pwnables is a premium mobile exploit acquisition program focus only on mobile platforms exploit codes. We believe in paying the appropriate financial rewards to support the research of independent security researchers.
"We pay BIG bounties, not bug bounties".
Our payouts for eligible zero-day exploits range from $25,000 to $1,500,000 per submission. The amounts paid by us to researchers to acquire their original zero-day exploits depend on the popularity and security strength of the affected software/system, as well as the quality of the submitted exploit (full or partial chain, supported versions/systems/architectures, reliability, bypassed exploit mitigations, default vs. non-default component, process continuation, etc). For more information, please read our FAQ. The payout ranges listed below are provided for information only and are intended for fully functional/reliable exploits meeting our highest requirements. We may pay higher rewards for exceptional exploits or research.
Category/Application | OS | Payout for RCE | Payout for SBX | Payout for LPE | Payout for RCE + LPE |
---|---|---|---|---|---|
0-click Remote Jailbreak/Root(persistence) | - | - | - | Up to $1,500,000 | |
Remote Jailbreak/Root(persistence) | - | - | - | Up to $1,000,000 | |
Gmail/Email | - | - | - | Up to $500,000 | |
SMS/MMS | - | - | - | Up to $500,000 | |
iMessage | - | - | - | Up to $500,000 | |
WhatsApp/Telegram/Signal | - | - | - | Up to $500,000 | |
Facebook Messenger | - | - | - | Up to $500,000 | |
Viber | - | - | - | Up to $500,000 | |
Skype | - | - | - | Up to $500,000 | |
- | - | - | Up to $500,000 | ||
Chrome | Up to $50,000 | Up to $100,000 | - | Up to $150,000 | |
Safari | Up to $50,000 | Up to $100,000 | - | Up to $150,000 | |
Opera/Opera Mini | Up to $50,000 | Up to $100,000 | - | Up to $150,000 | |
Baseband | - | - | - | Up to $150,000 | |
Media Files | - | - | - | Up to $150,000 | |
Documents | - | - | - | Up to $150,000 | |
WiFi | - | - | - | Up to $100,000 | |
SS7 | - | - | - | Up to $100,000 | |
GSM(BTS) | - | - | - | Up to $100,000 | |
Bluetooth/NFC | - | - | Up to $50,000 | - | |
Physical | - | - | Up to $50,000 | - | |
Screen Lock (pin/fingerprint bypass) | - | - | Up to $25,000 | - | |
PC | - | - | Up to $25,000 | - |
RCE: Remote Code Execution | LPE: Local Privilege Escalation | SBX: Sandbox Escape
We welcome all researchers, except those from United Nations sanction list, to take part in Pwnables.
If you have an exploit code within the categories that we are looking for:
1. Download our PGP key.
2. Send us an PGP encrypted email with the following information:
a. Name of targeted software/hardware/platform.
b. Version and architecture (x86, x64 etc) of targeted software/hardware/platform.
c. Type of vulnerability (eg. Infoleak, UAF etc).
d. Attack vector/scenario.
e. Success rate of exploit code execution (50%, 80%, 100% etc).
f. Time delay for exploit code execution (number of seconds).
g. Exploitation environment (default installation, privilege, user interaction etc).
h. Setting and/or configurations required for successful exploitation.
i. Any limitations or special requirements?
j. Your PGP key.
3. We will acknowledge your email and assess your initial submission.
4. If we are not interested in your initial submission, we will inform you so via email within 2 weeks.
5. If we are interested in your initial submission, we will reply you, within 2 weeks, with an initial offer.
6. If you accept our initial offer, you will send us, via PGP encrypted email, the following information for our complete evaluation:
a. A fully functional exploit source code.
b. A detailed technical write-up of the exploit code.
c. A detailed technical write-up of the vulnerability.
7. We will acknowledge your email and evaluate your submission.
8. We may correspond with you for clarifications or more information.
9. We will make you a Final Offer within 2 weeks.
10. If offer accepted payment will be sent fully within 1 week.
Operating Systems | Browsers | Applications | Devices |
---|---|---|---|
Android 7.x/8.x/9.x/10.x/11.x/12.x/13.x/14.x | Google Chrome | Gmail | Apple iPhone |
Apple iOS 11.x/12.x/13.x/14.x/15.x/16.x/17.x | Safari(iOS) | Samsung | |
Opera | Telegram | LG | |
- | - | Signal | Huawei |
- | - | Facebook Messenger | |
- | - | Xiaomi | |
- | - | Viber | ZTE |
- | - | Skype | Huawei |
- | - | - | Sony |
- | - | - | HTC |
- | - | - | Motorola |
- | - | - | Lenovo |
- | - | - | Acer |
- | - | - | Asus |
Pwnables is interested in critical vulnerabilities and fully functional and reliable exploitation codes that will lead to arbitrary code execution, privilege escalation, sandbox escape and leakage of sensitive information.
Payout details can be found above.
Payment will be via bank transfer (local or international) or With Cryptocurrency like Bitcoin or Ethereum.
We respect researchers’ privacy. We will not disclose your identity or any of your personal information to Third Parties.
Submissions acquired by Pwnables will be offered as part of Pwnables security research offerings to legitimate government organisations and corporations.
Feel free to contact us for more details.