Affiliate links on Android Authority may earn us a commission.Learn more.
Find a new Android exploit? Sell it to a secretive company for $3 million
June 08, 2025
If you stumble across a zero-dayAndroid exploit(that is, a bug or vulnerability that is unknown toGoogle), a company calledCrowdfensewill pay you up to $3 million for that information.
Sounds amazing, right? The only issue is that it is not clear what Crowdfense would then do with the exploit. The company admits that it would sell the exploit to other organizations, but which ones and for what purpose is unknown.
The Crowdfense website describes the company as “a world-leading vulnerability research hub” that “evaluates state-of-the-art active cyber-defense capabilities” and then “offers them to a carefully selected group of global institutional customers.” In other words, the company looks for holes in major systems and then sells the information to undisclosed organizations.
While Crowdfense is probably an ethical company that will only use the supplied exploit information to do good in this world, it’s also hard not to imagine a company in its position selling off the software vulnerabilities to the highest bidder, putting anyone who uses the software at risk. After all, we are talking about millions of dollars here, which necessitates a tiny list of potential customers.
For the sake of comparison,Google itself offers bounty rewardsfor Android exploits. But the payout from Google will likely be in the thousands of dollars, not millions.
Crowdfense isn’t just looking for Android exploits, either. It will pay hundreds-of-thousands up to millions of dollars for zero-day exploits related toiOS, Windows, and macOS.
According to Crowdfense director Andrea Zapparoli Manzoni, viaMotherboard, the company has $10 million banked, which it controls from its headquarters in the United Arab Emirates. Manzoni admits that Crowdfense’s customers are “law enforcement or intelligence” agencies that are looking for tools “aimed at collecting intelligence.” So it seems like the exploits go to government institutions. But which governments?
With our world becoming more and more connected, software vulnerabilities will only get more dangerous. If you find a weakness of any kind in any type of software, be sure to thoroughly vet any person or organization with which you would share that information.
NEXT:Android phones with missed security updates still ‘more secure’ than the average PC
Thank you for being part of our community. Read ourComment Policybefore posting.
