Crowdfense is a private exploit-acquisition company headquartered in the United Arab Emirates that operates in the so-called "gray market" for software vulnerabilities. It purchases previously unknown security flaws — known as zero-days — along with full exploit chains from independent researchers, then resells them to a restricted client base it describes as government and institutional customers.
The firm became publicly visible in 2018 when it announced a $10 million acquisition program for high-impact exploits targeting mobile and desktop platforms. In April 2024 it published an updated price list offering up to $5–7 million for full-chain, zero-click remote code execution on iOS and Android, with lower tiers for browser, messenger, and operating system bugs. These public bounty tables are unusually transparent for the industry and are frequently cited by security journalists as a benchmark for the going rate of offensive cyber capabilities.
Crowdfense positions itself as a competitor to firms such as Zerodium (founded by Chaouki Bekrar) and NSO Group, though its business model differs: it acts primarily as a broker and quality-assurance layer rather than a developer of finished surveillance products like Pegasus. Researchers submit candidate exploits through a vetting process, and Crowdfense validates the technical claims before payment.
The company sits at the center of ongoing policy debates relevant to IR and tech-governance researchers. Critics — including organizations such as Access Now and Citizen Lab — argue that the commercial zero-day market enables state surveillance against journalists, dissidents, and diplomats, and that export controls under frameworks like the Wassenaar Arrangement (amended in 2013 to cover intrusion software) are inconsistently applied. Defenders argue that without regulated brokers, vulnerabilities would flow to less accountable buyers. Crowdfense's UAE base also draws scrutiny given the Emirates' own documented history as a customer of commercial spyware.
Example
In April 2024, Crowdfense publicly offered up to $7 million for a zero-click, full-chain iOS remote code execution exploit, drawing renewed attention to the commercial zero-day market.
Frequently asked questions
Yes. Brokering vulnerabilities is legal in most jurisdictions, though exports of intrusion software are regulated under the Wassenaar Arrangement and national laws such as the EU Dual-Use Regulation.
Keep learning