Hex-Rays Security Bug Bounty Program

We have been toying with the idea since 2008 and finally decided to go ahead with it. In short, if you find a security bug in IDA or the Decompiler and report it to us, you may receive a cash award.

The purpose of our Security Bug Bounty Program to make our tools more secure and reward those who help us in this endeavor.

Please check the reported vulnerabilties below.

Bounty Guidelines

  1. Hex-Rays will pay a 3000 USD bounty for certain security bugs.
  2. All IDA or Decompiler license holders can participate (with or without active support plan), except Hex-Rays employees and their families.
  3. What security bugs will be considered:
    1. Security bugs must be original and previously unreported and not fixed yet.
    2. Security bugs with high or critical impact are eligible (remote code execution, privilege escalation, etc).
    3. Security bugs must be in the Hex-Rays code (not in third party/contributed code). In some cases we may take responsibility for third-party code as well.
    4. Security bugs must be present in the latest public release of IDA/Decompiler.
    5. Anti-debugging and similar tricks are not eligible for the bounty.
    6. Simple crashes and denial-of-service bugs are not eligible for the bounty, although we'll still be interested to get the reports :)
  4. How to apply: send your report to bugbounty@hex-rays.com. The report should include the POC code and a small description of the bug and its impact.
  5. We reserve the right to refuse a bounty payment if we believe the actions of the reporter have endangered the security of Hex-Rays' end users.
  6. The duration of the bounty program: undetermined. We reserve the right to close the program at any moment.
  7. What will be asked from the reporters: a proper and legal picture identification and bank account information within 30 days of the bug acknowledgement.
  8. Collective entries are allowed. The bounty will be paid to the person designated by the group.

Reported vulnerabilities

Date Reporter Products Description
2011-02-08 19:21 Stefan Esser IDA 5.7 and 6.0 Vulnerability in Macho-O loader
2011-02-10 10:37 Alin Rad Pop IDA 5.7 and 6.0 Vulnerability in the conversion of string encodings
2011-02-11... Masaaki Chida IDA 5.7 and 6.0 Multiple vulnerabilities
2011-02-20... Masaaki Chida IDA 5.7 and 6.0 Multiple vulnerabilities
2011-03-18... undisclosed IDA 5.7 and 6.0 Plugin autorun vulnerability
2011-04-10... undisclosed IDA 5.7 and 6.0 and early copies of 6.1 WinDbg autorun vulnerability

Fixes for this and other problems in IDA are available from the following link:

https://www.hex-rays.com/vulnfix.shtml

Thank you for participating in our bug bounty program!