The Zero Day Reward Program is intended to encourage and educate a wide audience of security professionals and enthusiasts to look for a class of attacks not commonly looked for.
Towards this purpose, Polyverse has built an open-source tool called Zerotect: https://github.com/polyverse/zerotect
This program is intended to reward users who observe and report real attacks on their systems using Zerotect.
Complete the form here.
We are unable to issue rewards to individuals who are on sanctions lists, or who are in countries (e.g. Cuba, Iran, North Korea, Sudan and Syria) on sanctions lists. You are responsible for any tax implications depending on your country of residency and citizenship. There may be additional restrictions on your ability to enter depending upon applicable law.
The individual reporting the attack is responsible for determining if they have the authority to do so, and by reporting an attack, the reporting person thereby represents to Polyverse that he, she or they have the authority to (i) report the attack, (ii) to disclose information regarding the attack being reported, and (ii) to disclose their organization’s name, if such authorization is given to Polyverse). Polyverse will not be responsible for any failure by the reporter to make this determination or any consequences resulting from any violation of a policy maintained by their organization.
This is not a competition, but rather an experimental and discretionary rewards program. You should understand that we can cancel the program at any time with no notice and the decision as to whether or not to pay a reward is entirely in our discretion.
Of course, your testing must not violate any law, or disrupt or compromise any data that is not your own.
If I discover a brand new zero-day, do I retain the rights to disclosure?
Can I request not to publicize my, or my organization’s name?
Are there any restrictions on what is in my stack?
Who is liable for the tax?
I work in a team – is everyone eligible to claim the $1000 reward?