Mitigate Baron SameEdit (CVE-2021-3156) vulnerability

The Zero Day Reward Program is intended to encourage and educate a wide audience of security professionals and enthusiasts to look for a class of attacks not commonly looked for.

Towards this purpose, Polyverse has built an open-source tool called Zerotect:

This program is intended to reward users who observe and report real attacks on their systems using Zerotect.

Terms and conditions

  1. Polyverse will pay $1000 to the individual or entity who submits the first report of a live attack, subject to the following conditions:
    1. A Polyverse representative must be able to verify the attack either by logging into the attacked machine, or through a screenshare of the machine to view the actual logs that led to detection.
    2. An individual or entity will only be paid once for each specific category of attack.
      1. The individual or entity reporting the attack is responsible for providing any additional information requested by Polyverse in order to verify the attack.
    3. Polyverse reserves the right in its sole discretion to determine whether an attack is a new category or the same category.
      1. We will typically categorize all attacks into one category that hit the same process and file and ingress through the same bug.
    4. A penetration test or red team performing a complete synthetic attack is eligible, but a single individual will need to be responsible for making the claim (on behalf of their team or entity), receiving the reward and distributing the reward among their team (see FAQ below).
    5. Polyverse reserves the right to determine eligibility for payment from this program and to approve or deny a reward for any reason in its sole discretion.
  2. Polyverse requires the complete security stack be reported and retains the right to use those details in statistical studies we can share publicly. For example, we require details of whether or not firewalls were being used, and if so which ones, etc.
  3. Polyverse will cap the total payout for the Rewards Program to $100,000 (one hundred thousand dollars). Once that money is spent, we will pay out no more.

How to report an attack

Complete the form here.

Legal points

We are unable to issue rewards to individuals who are on sanctions lists, or who are in countries (e.g. Cuba, Iran, North Korea, Sudan and Syria) on sanctions lists. You are responsible for any tax implications depending on your country of residency and citizenship. There may be additional restrictions on your ability to enter depending upon applicable law.

The individual reporting the attack is responsible for determining if they have the authority to do so, and by reporting an attack, the reporting person thereby represents to Polyverse that he, she or they have the authority to (i) report the attack, (ii) to disclose information regarding the attack being reported, and (ii) to disclose their organization’s name, if such authorization is given to Polyverse). Polyverse will not be responsible for any failure by the reporter to make this determination or any consequences resulting from any violation of a policy maintained by their organization.

This is not a competition, but rather an experimental and discretionary rewards program. You should understand that we can cancel the program at any time with no notice and the decision as to whether or not to pay a reward is entirely in our discretion.

Of course, your testing must not violate any law, or disrupt or compromise any data that is not your own.

Frequently asked questions

If I discover a brand new zero-day, do I retain the rights to disclosure?

Can I request not to publicize my, or my organization’s name?

Are there any restrictions on what is in my stack?

Who is liable for the tax?

I work in a team – is everyone eligible to claim the $1000 reward?

The registered trademark Linux® is used pursuant to a sublicense from the Linux Foundation, the exclusive licensee of Linus Torvalds, owner of the mark on a world­wide basis.