The "NVWA Project" is a reward project for the 0day vulnerability and utilization technology research, mainly for mainstream PC, mobile operating systems, popular servers, client software applications, network equipments, virtual system escape, etc. We provide generous bonuses that the highest reward for a single vulnerability could up to ¥20,000,000!

Target Directory

Including but not limited to the following ranges, the target directory will be updated regularly

New Tablenew

Target Version Type Require Date Effective date(d) TopPrice(¥)
NEC NEC Router RCE/DoS Zero-Click 2020-04-01 2020-12-31 300,000
Piolink Piolink Router RCE/DoS Zero-Click 2020-04-01 2020-12-31 300,000
ForcePoint FireWall RCE/DoS Zero-Click 2020-04-01 2020-12-31 350,000
Hillstone FireWall RCE/DoS Zero-Click 2020-04-01 2020-12-31 400,000
Ahnlab FireWall RCE/DoS Zero-Click 2020-04-01 2020-12-31 300,000
Cisco 1800/1900 Router RCE/DoS Zero-Click 2020-04-01 2020-12-31 500,000
Cisco ASR1000 Router RCE/DoS Zero-Click 2020-04-01 2020-12-31 700,000
Cisco Catalyst9000 Router RCE/DoS Zero-Click 2020-04-01 2020-12-31 550,000
Juniper QFX switches RCE/DoS Zero-Click 2020-04-01 2020-12-31 800,000
Juniper OCX switches RCE/DoS Zero-Click 2020-04-01 2020-12-31 800,000
Juniper T Router RCE/DoS Zero-Click 2020-04-01 2020-12-31 1000,000
Juniper PTX Router RCE/DoS Zero-Click 2020-04-01 2020-12-31 600,000
Juniper ACX Router RCE/DoS Zero-Click 2020-04-01 2020-12-31 500,000
富士通IPCOM FireWall RCE/DoS Zero-Click 2020-04-01 2020-12-31 300,000
Microsoft ForeFront TMG/ISA Network proxy RCE/DoS Zero-Click 2020-04-01 2020-12-31 350,000
McAfee WebGateWay Network proxy RCE/DoS Zero-Click 2020-04-01 2020-12-31 500,000
Sonicwall VPN RCE/DoS Zero-Click 2020-04-01 2020-12-31 450,000
NSD DNS RCE/DoS Zero-Click 2020-04-01 2020-12-31 350,000
PowerDNS DNS RCE/DoS Zero-Click 2020-04-01 2020-12-31 350,000
UltraDNS DNS RCE/DoS Zero-Click 2020-04-01 2020-12-31 350,000
Postfix Mail service RCE/DoS Zero-Click 2020-04-01 2020-12-31 350,000
Zmailer Mail service RCE/DoS Zero-Click 2020-04-01 2020-12-31 350,000
Mdeamon Mail service RCE/DoS Zero-Click 2020-04-01 2020-12-31 350,000
Winmail Mail service RCE/DoS Zero-Click 2020-04-01 2020-12-31 350,000
PowerMTA Mail service RCE/DoS Zero-Click 2020-04-01 2020-12-31 350,000
Lotus Domino Web service RCE/DoS Zero-Click 2020-04-01 2020-12-31 350,000
Oracle Database RCE/DoS Zero-Click 2020-04-01 2020-12-31 500,000
Portable SDK for UPnP devices CIG Router RCE Zero-Click 2020-05-01 2020-12-31 350,000

Long-term Table

Target Version Type Require Date Effective date(d) TopPrice(¥)
Windows Windows7/8/10/2008/2012 RCE Zero-Click 2019-11-01 10,000,000
Firefox Windows/MacOS RCE/LPE Zero-Click 2019-11-01 800,000
Android Mainstream Android Mobile OS FCWP Zero-Click 2019-11-08 20,000,000
iOS Mainstream Apple iOS FCWP Zero-Click 2019-11-08 15,000,000
WhatsApp Android/iOS RCE/LPE Zero-Click 2019-11-08 10,000,000
Telegram Android/iOS RCE/LPE Zero-Click 2019-11-08 5,000,000
Chrome Windows/MacOS RCE/LPE Zero-Click 2019-11-08 3,000,000
MS-Office Windows RCE Zero-Click 2019-11-08 1,500,000
Other Office Windows RCE Zero-Click 2019-11-08 500,000
Adobe-PDF Windows RCE Zero-Click 2019-11-08 800,000
Cisco IOS RCE Zero-Click 2019-11-08 5,000,000
juniper ScreenOS/... RCE Zero-Click 2019-11-08 2,000,000
Fortigate-Firewall FortiOS RCE Zero-Click 2019-11-08 800,000
Bluecoat-ProxySG - RCE Zero-Click 2019-11-08 800,000
Defense Software Symantec/HP-arcsight/TrendMicro... RCE Zero-Click 2019-11-08 500,000
VMware ESXi VMware ESXi VME Zero-Click 2019-11-08 1,500,000
VMware Workstation VMware Workstation VME Zero-Click 2019-11-08 600,000
Linux Mainstream Linux OS LPE Zero-Click 2019-11-08 500,000
Solaris - LPE Zero-Click 2019-11-08 500,000
Vnc Viewer Server Vnc Viewer Server RCE/DoS Zero-Click 2020-05-29 500,000

ALL:RCE + LPE;RCE(Remote Code Execution):远程代码执行;LPE(Local Privilege Escalation):本地权限提升;SBX(Sandbox Escape Bypass):沙盒逃逸绕过;VME(Virtual Machine Escape):虚拟机逃逸;FCWP(Full Chain (Zero-Click) with Persistence):完整的利用链

Vulnerability Submission

Q&A

1.Email
Please use your Email address and we will contact you by Email during the vulnerability confirmation.
2. What is the scope of the vulnerability?
Our focus is on the related 0day vulnerabilities within the target range given by the 'NVWA Project'. The target scope will be updated regularly, please keep an eye on it.
If your vulnerability is outside the scope of our target and the impact is large and serious, it may also become our receiving target. You can submit it and we will contact you after we evaluate.
3. How many vulnerability rewards can I get?
When you submit the vulnerability profile, you’re supposed to submit the vulnerability self-evaluation. Based on that we will evaluate and contact you for bargaining, only after the bargaining price has been approved by both side will the process proceed to the next step.
After receiving the details of the vulnerability sample, if we find that it does not match your previous description, we will conduct a second bargain.
4. What kind of vulnerability profile do I need to submit?
At the beginning of the process, please refer to the 'Vulnerability Submission' form. After the vulnerability negotiation is completed, you can submit the vulnerability details and a complete exploit.
5. When can I get rewards after submitting a vulnerability?
After submitting the full vulnerability description and exploit, we will confirm and issue a bonus based on the final bargaining result. The bonus will be paid in installments within 3 months.
The 50% bonus will be paid within 1 week after the vulnerability is confirmed, and the remaining 50% will be paid in 3 months.
The information related to the vulnerability you submitted should be kept confidential, if there is a leak due to the vulnerability submitter, we will deduct or cancel the reward according to the specific circumstances.
6. What does "Require" (such as "Zero-click") mean?
The interaction related requirement refers to any interaction action other than the attack scenario.
Opening the Office, opening a document, or using browser to open a link, and an application such as a mobile IM to open a link is considered an "attack scenario" and is not within the scope of "interaction requirements."
7. What should I do if I need to send sensitive information during the communication process?
During the communication process, if you are concerned that the information you send involves sensitive information, please use our public PGP key encryption.
              Our PGP public key is as follows:
public-key-service@nvwa.org