The "NVWA Project" is a reward project for the 0day vulnerability and utilization technology research, mainly for mainstream PC, mobile operating systems, popular servers, client software applications, network equipments, virtual system escape, etc. We provide generous bonuses that the highest reward for a single vulnerability could up to ¥20,000,000!

Target Directory

Including but not limited to the following ranges, the target directory will be updated regularly

New Tablenew

Target Version Type Require Date Effective date(d) TopPrice(¥)

Long-term Table

Target Version Type Require Date Effective date(d) TopPrice(¥)
3CX - RCE Zero-Click 2020-09-04 150,000
ABB - RCE Zero-Click 2020-09-04 150,000
ABB Ability - RCE Zero-Click 2020-09-04 150,000
Acme - RCE Zero-Click 2020-09-04 150,000
ActiveMQ - RCE Zero-Click 2021-01-05 50,000
ADC - RCE Zero-Click 2021-01-05 20,000
Adobe - RCE 1-Click 2020-09-04 800,000
Adobe-PDF - RCE 1-Click 2019-11-08 800,000
advantech - RCE Zero-Click 2020-09-04 150,000
Airos - RCE Zero-Click 2020-09-04 350,000
Android - FCWP Zero-Click 2019-11-08 20,000,000
Anydesk - RCE Zero-Click 2020-09-04 150,000
anymacro安宁邮箱 - RCE/AUL Zero-Click 2021-01-05 500,000
Apache - RCE Zero-Click 2020-09-04 500,000
Apache Shiro - RCE Zero-Click 2021-01-05 100,000
Apache Spark - RCE Zero-Click 2021-01-05 20,000
Apache Struts2 - RCE Zero-Click 2021-01-05 500,000
Apereo CAS - RCE/AUL Zero-Click 2021-01-05 100,000
ArcSight - RCE Zero-Click 2020-08-07 350,000
ASUS - RCE Zero-Click 2020-09-04 200,000
Atlassian - RCE Zero-Click 2020-09-04 400,000
Atlassian Jira - RCE Zero-Click 2021-01-05 300,000
AudioCodes - RCE Zero-Click 2020-09-04 150,000
Avaya - RCE Zero-Click 2020-09-04 150,000
Barracuda - RCE Zero-Click 2020-09-04 200,000
beyondtrust - RCE Zero-Click 2020-09-04 200,000
BlueCoat - RCE Zero-Click 2020-09-04 200,000
Bluecoat-ProxySG - RCE Zero-Click 2019-11-08 800,000
BroadForward - RCE Zero-Click 2020-09-04 200,000
Cacti - RCE Zero-Click 2020-09-04 150,000
CheckPoint - RCE Zero-Click 2020-09-04 350,000
Chrome - RCE+LPE Zero-Click 2019-11-08 3,000,000
Cisco - RCE Zero-Click 2019-11-08 5,000,000
CISCO firewall - RCE Zero-Click 2021-01-05 500,000
CISCO SSL VPN - RCE/AUL Zero-Click 2021-01-05 500,000
Citrix - RCE Zero-Click 2020-09-04 350,000
ClearScada - RCE Zero-Click 2020-09-04 150,000
Confluence - RCE/AUL Zero-Click 2021-01-05 300,000
Coremail - RCE/AUL Zero-Click 2021-01-05 500,000
CourierMail Server - RCE Zero-Click 2020-09-04 150,000
Cpanel - RCE Zero-Click 2020-08-07 350,000
Cyberoam - RCE Zero-Click 2020-09-04 200,000
Dedecms - RCE Zero-Click 2021-01-05 50,000
Defense Software - RCE Zero-Click 2019-11-08 500,000
Diameteriq - RCE Zero-Click 2020-09-04 150,000
Discuz - RCE Zero-Click 2021-01-05 50,000
dlink - RCE Zero-Click 2021-01-05 50,000
Docker - SBX Zero-Click 2020-09-04 500,000
Dovecot - RCE Zero-Click 2020-09-04 150,000
Drupal - RCE Zero-Click 2020-09-04 150,000
easysite - RCE Zero-Click 2021-01-05 30,000
ECShop - RCE Zero-Click 2021-01-05 20,000
Emerson - RCE Zero-Click 2020-09-04 150,000
EmpireCMS - RCE Zero-Click 2021-01-05 20,000
Ericsson HSS - RCE Zero-Click 2020-09-04 150,000
eScan - RCE Zero-Click 2020-09-04 150,000
Exchange - RCE Zero-Click 2020-08-07 800,000
EXIM - RCE Zero-Click 2020-09-04 350,000
express - RCE Zero-Click 2021-01-05 50,000
F5 - RCE Zero-Click 2020-09-04 500,000
F5 BIG-IP - RCE Zero-Click 2021-01-05 500,000
Fastjson - RCE Zero-Click 2021-01-05 500,000
Firefox - RCE+LPE Zero-Click 2019-11-01 800,000
FortiGate - RCE Zero-Click 2020-08-07 350,000
Fortigate-Firewall - RCE Zero-Click 2019-11-08 800,000
FortiNet - RCE Zero-Click 2020-09-04 350,000
Fortinet(飞塔) Firewall - RCE Zero-Click 2021-01-05 50,000
Foxit - RCE+LPE 1-Click 2020-09-04 500,000
FreeBSD - LPE Zero-Click 2020-08-07 500,000
FusionAccess - RCE Zero-Click 2021-01-05 50,000
Gitea - RCE Zero-Click 2021-01-05 50,000
Gitlab - RCE Zero-Click 2021-01-05 50,000
Grandstream - RCE Zero-Click 2020-09-04 150,000
H3C - RCE Zero-Click 2020-08-07 500,000
Hadoop - RCE Zero-Click 2021-01-05 50,000
HanSight Enterprise - RCE Zero-Click 2021-01-05 50,000
Harbor - RCE Zero-Click 2021-01-05 20,000
HttpFileServer - RCE Zero-Click 2020-09-04 150,000
IBM - RCE Zero-Click 2020-09-04 350,000
IE - RCE 1-Click 2020-09-04 800,000
Ignition - RCE Zero-Click 2020-09-04 150,000
IIS - RCE Zero-Click 2020-09-04 3,000,000
iOS - FCWP Zero-Click 2019-11-08 15,000,000
jackson - RCE Zero-Click 2021-01-05 500,000
Jboss - RCE Zero-Click 2020-09-04 500,000
jeecms - RCE Zero-Click 2021-01-05 20,000
JeeSite - RCE Zero-Click 2021-01-05 10,000
Jenkins - RCE Zero-Click 2021-01-05 50,000
jetty - RCE Zero-Click 2021-01-05 300,000
JFinal - RCE Zero-Click 2021-01-05 20,000
jumpserver - RCE/AUL Zero-Click 2021-01-05 50,000
juniper - RCE Zero-Click 2019-11-08 2,000,000
Kaspersky - RCE Zero-Click 2020-09-04 150,000
kxmail - RCE/AUL Zero-Click 2021-01-05 50,000
Laravel - RCE Zero-Click 2021-01-05 20,000
Liferay - RCE Zero-Click 2020-09-04 150,000
Linksys - RCE Zero-Click 2020-09-04 150,000
Linux - LPE Zero-Click 2019-11-08 500,000
MAC - RCE Zero-Click 2020-09-04 3,000,000
Mailman - RCE Zero-Click 2020-09-04 150,000
McAfee - RCE Zero-Click 2020-09-04 200,000
MetInfo - RCE Zero-Click 2021-01-05 10,000
Microsoft - RCE Zero-Click 2020-09-04 1,000,000
Microsoft SharePoint - RCE Zero-Click 2021-01-05 200,000
Mikrotik - RCE Zero-Click 2020-09-04 150,000
ModSecurity - RCE Zero-Click 2021-01-05 20,000
MOXA - RCE Zero-Click 2020-09-04 150,000
MS-Office - RCE Zero-Click 2019-11-08 1,500,000
NAGIOS - RCE Zero-Click 2020-09-04 200,000
Netflow - RCE Zero-Click 2020-09-04 150,000
NetScreen - RCE Zero-Click 2020-09-04 150,000
Nexus - RCE Zero-Click 2021-01-05 20,000
Onlyoffice - RCE Zero-Click 2020-09-04 150,000
OpenFind - RCE Zero-Click 2020-09-04 150,000
OSPF Routing Protocol - RCE Zero-Click 2020-09-04 150,000
Other Office - RCE Zero-Click 2019-11-08 500,000
Outlook - RCE Zero-Click 2020-09-04 1,500,000
Paloalto - RCE Zero-Click 2020-09-04 150,000
Peplink - RCE Zero-Click 2020-09-04 150,000
PFsense - RCE Zero-Click 2020-09-04 350,000
phabricator - RCE Zero-Click 2020-09-04 150,000
PHP - RCE Zero-Click 2020-09-04 1,500,000
Phpcms - RCE Zero-Click 2021-01-05 50,000
Phpmyadmin - RCE Zero-Click 2021-01-05 100,000
phpStudy - RCE Zero-Click 2021-01-05 20,000
PLESK - RCE Zero-Click 2020-09-04 800,000
Profibus protocol - RCE Zero-Click 2020-09-04 150,000
Pulse Secure - RCE Zero-Click 2020-09-04 350,000
Pulse Secure VPN - RCE/AUL Zero-Click 2021-01-05 500,000
QEMU - VME Zero-Click 2020-08-07 800,000
Qnap - RCE Zero-Click 2020-09-04 150,000
Redmine - RCE Zero-Click 2020-09-04 150,000
resin - RCE Zero-Click 2021-01-05 100,000
Ribbon - RCE Zero-Click 2020-09-04 150,000
richmail(thinkmail) - RCE/AUL Zero-Click 2021-01-05 100,000
RoundCube - RCE Zero-Click 2020-09-04 150,000
SaltStack - RCE Zero-Click 2021-01-05 20,000
Sangoma - RCE Zero-Click 2020-09-04 150,000
Schneider - RCE Zero-Click 2020-08-07 350,000
SE Inno CMS - RCE Zero-Click 2020-09-04 150,000
SendMail - RCE Zero-Click 2020-09-04 1,000,000
SharePoint - RCE Zero-Click 2020-09-04 200,000
Siemens - RCE Zero-Click 2020-09-04 200,000
SIMATIC - RCE Zero-Click 2020-09-04 200,000
SiteServer - RCE Zero-Click 2021-01-05 20,000
SNMP - RCE Zero-Click 2020-09-04 500,000
Solaris - LPE Zero-Click 2019-11-08 500,000
Solarwinds - RCE Zero-Click 2020-09-04 150,000
Sonus - RCE Zero-Click 2020-09-04 150,000
Sophos - RCE Zero-Click 2020-09-04 200,000
Splunk - RCE Zero-Click 2020-09-04 150,000
Spring Boot - RCE Zero-Click 2021-01-05 500,000
Spring Security Oauth - RCE Zero-Click 2021-01-05 50,000
StormShield - RCE Zero-Click 2020-09-04 200,000
Struts2 - RCE Zero-Click 2020-09-04 350,000
SWIFTNet - RCE Zero-Click 2020-09-04 150,000
Symantec - RCE Zero-Click 2020-09-04 150,000
Synology - RCE Zero-Click 2020-09-04 150,000
TACACS - RCE Zero-Click 2020-09-04 150,000
TeamViewer - RCE Zero-Click 2021-01-05 50,000
Telegram - RCE+LPE Zero-Click 2019-11-08 5,000,000
Thinkphp - RCE Zero-Click 2020-09-04 500,000
TPlink - RCE Zero-Click 2021-01-05 50,000
Trend Micro - RCE Zero-Click 2020-09-04 200,000
turbomail - RCE/AUL Zero-Click 2021-01-05 20,000
Unify - RCE Zero-Click 2020-09-04 150,000
Virtual Box - VME Zero-Click 2020-09-04 500,000
Vmware - VME Zero-Click 2020-09-04 800,000
VMware ESXi - VME Zero-Click 2019-11-08 1,500,000
VMware vCenter - RCE Zero-Click 2021-01-05 100,000
VMware Workstation - VME Zero-Click 2019-11-08 600,000
Vnc Viewer Server - FCWP Zero-Click 2020-05-29 500,000
VxWorks - VME Zero-Click 2020-09-04 800,000
WatchGuard - RCE Zero-Click 2020-09-04 150,000
WebEOC - RCE Zero-Click 2020-09-04 150,000
Weblogic - RCE Zero-Click 2020-09-04 350,000
Webmin - RCE Zero-Click 2021-01-05 50,000
websphere - RCE Zero-Click 2021-01-05 300,000
WhatsApp - RCE+LPE Zero-Click 2019-11-08 10,000,000
Whatsup Gold - RCE Zero-Click 2020-09-04 150,000
Windows - RCE Zero-Click 2019-11-01 10,000,000
winmail - RCE/AUL Zero-Click 2021-01-05 350,000
Winrar - RCE 1-Click 2020-09-04 500,000
Wordpress - RCE Zero-Click 2020-09-04 500,000
XAMPP - RCE Zero-Click 2021-01-05 20,000
Yeastar - RCE Zero-Click 2020-09-04 150,000
Zabbix - RCE Zero-Click 2020-08-07 500,000
Zimbra - RCE Zero-Click 2020-09-04 350,000
Zoho - RCE Zero-Click 2020-09-04 150,000
万户ezoffice - RCE Zero-Click 2021-01-05 20,000
亿邮 - RCE/AUL Zero-Click 2021-01-05 50,000
向日葵 - ALL Zero-Click 2021-01-05 50,000
堡垒机 - RCE/AUL Zero-Click 2021-01-05 50,000
大汉cms - RCE Zero-Click 2021-01-05 20,000
宝塔 - RCE Zero-Click 2021-01-05 20,000
帕拉迪堡垒机 - RCE/AUL Zero-Click 2021-01-05 50,000
常用安防类产品(防火墙、VPN、IDS、IPS、主机安全、终端安全等) - RCE Zero-Click 2021-01-06 50,000
微擎 - RCE Zero-Click 2021-01-05 10,000
拓尔思 TRSWAS - RCE Zero-Click 2021-01-05 20,000
日志易 - RCE Zero-Click 2021-01-05 50,000
时代亿信邮箱 - RCE/AUL Zero-Click 2021-01-05 200,000
泛微 - RCE/AUL Zero-Click 2021-01-05 50,000
爱快流控路由 - RCE Zero-Click 2021-01-05 50,000
用友 - RCE/AUL Zero-Click 2021-01-05 50,000
禅知 - RCE Zero-Click 2021-01-05 20,000
禅道/zentao - RCE Zero-Click 2021-01-05 50,000
税友 - RCE Zero-Click 2021-01-05 50,000
致远oa - RCE/AUL Zero-Click 2021-01-05 50,000
蓝凌 - RCE/AUL Zero-Click 2021-01-05 50,000
通达oa - RCE/AUL Zero-Click 2021-01-05 20,000
金蝶 - RCE Zero-Click 2021-01-05 50,000
锐捷 - RCE Zero-Click 2021-01-05 50,000
齐治堡垒机 - RCE/AUL Zero-Click 2021-01-05 100,000

ALL:RCE + LPE;RCE(Remote Code Execution):远程代码执行;LPE(Local Privilege Escalation):本地权限提升;SBX(Sandbox Escape Bypass):沙盒逃逸绕过;VME(Virtual Machine Escape):虚拟机逃逸;FCWP(Full Chain (Zero-Click) with Persistence):完整的利用链;AUL:Arbitrary user login vulnerability

Vulnerability Submission

Q&A

1.Email
Please use your Email address and we will contact you by Email during the vulnerability confirmation.
2. What is the scope of the vulnerability?
Our focus is on the related 0day vulnerabilities within the target range given by the 'NVWA Project'. The target scope will be updated regularly, please keep an eye on it.
If your vulnerability is outside the scope of our target and the impact is large and serious, it may also become our receiving target. You can submit it and we will contact you after we evaluate.
3. How many vulnerability rewards can I get?
When you submit the vulnerability profile, you’re supposed to submit the vulnerability self-evaluation. Based on that we will evaluate and contact you for bargaining, only after the bargaining price has been approved by both side will the process proceed to the next step.
After receiving the details of the vulnerability sample, if we find that it does not match your previous description, we will conduct a second bargain.
4. What kind of vulnerability profile do I need to submit?
At the beginning of the process, please refer to the 'Vulnerability Submission' form. After the vulnerability negotiation is completed, you can submit the vulnerability details and a complete exploit.
5. When can I get rewards after submitting a vulnerability?
After submitting the full vulnerability description and exploit, we will confirm and issue a bonus based on the final bargaining result. The bonus will be paid in installments within 3 months.
The 50% bonus will be paid within 1 week after the vulnerability is confirmed, and the remaining 50% will be paid in 3 months.
The information related to the vulnerability you submitted should be kept confidential, if there is a leak due to the vulnerability submitter, we will deduct or cancel the reward according to the specific circumstances.
6. What does "Require" (such as "Zero-click") mean?
The interaction related requirement refers to any interaction action other than the attack scenario.
Opening the Office, opening a document, or using browser to open a link, and an application such as a mobile IM to open a link is considered an "attack scenario" and is not within the scope of "interaction requirements."
7. What should I do if I need to send sensitive information during the communication process?
During the communication process, if you are concerned that the information you send involves sensitive information, please use our public PGP key encryption.
              Our PGP public key is as follows:
public-key-service@nvwa.org
8.What if I have a question and want to consult?
If you have any questions, please send an email to root#nvwa.org. It is worth noting that this email will not communicate any information related to the actual vulnerability. After you submit the form, please contact your email address for further communication.