Bug Bounty

If you find a security bug in IDA or the Decompiler and report it to us, you may receive a cash award.

The purpose of our Security Bug Bounty Program to make our tools more secure and reward those who help us in this endeavor.

You may see the already reported vulnerabilities below.

Bounty Guidelines

  1. Hex-Rays will pay a 3000 USD bounty for certain security bugs.

  2. All IDA or Decompiler license holders can participate (with or without active support plan), except Hex-Rays employees and their families.

  3. What security bugs will be considered:

    1. Only bugs in Hex-Rays products (IDA and the Decompiler) are eligible.

    2. Security bugs must be in Hex-Rays code (not in third party/contributed code). In some cases we may take responsibility for third-party code as well.

    3. Security bugs must be original and previously unreported and not fixed yet.

    4. Security bugs with high or critical impact are eligible (remote code execution, privilege escalation, etc).

    5. Security bugs must be present in the latest public release of IDA/Decompiler.

    6. Security bugs must work on a clean, unmodified installation of IDA/Decompiler with all publicly released patches applied.

    7. In some cases we may accept bugs which require modification of the default settings of IDA (but not any binary patching, registry editing etc.).

    8. Security bugs have to be triggered without user's interaction, or with interaction which happens naturally during user's work.

  4. Bugs which are NOT eligible for the bounty:

    1. Issues with our web site

    2. Bugs which occur when the user explicitly starts a debugging session, executes a script, or any other action which may lead to execution of external code as part of its normal functionality.

    3. Anti-debugging and similar tricks.

    4. Simple crashes and denial-of-service bugs, although we'll still be interested to get the reports of these :)

  5. How to apply: send your report to bugbounty@hex-rays.com. The report should include the POC code and a small description of the bug and its impact.

  6. We reserve the right to refuse a bounty payment if we believe the actions of the reporter have endangered the security of Hex-Rays' end users.

  7. The duration of the bounty program: undetermined. We reserve the right to close the program at any moment.

  8. What will be asked from the reporters: a proper and legal picture identification and bank account information within 30 days of the bug acknowledgement.

  9. Collective entries are allowed. The bounty will be paid to the person designated by the group.

Reported vulnerabilities

Date
Reporter
Products
Description

2011-02-08 19:21

Stefan Esser

IDA 5.7 and 6.0

Vulnerability in Macho-O loader

2011-02-10 10:37

Alin Rad Pop

IDA 5.7 and 6.0

Vulnerability in the conversion of string encodings

2011-02-11...

Masaaki Chida

IDA 5.7 and 6.0

Multiple vulnerabilities

2011-02-20...

Masaaki Chida

IDA 5.7 and 6.0

Multiple vulnerabilities

2011-03-18...

undisclosed

IDA 5.7 and 6.0

Plugin autorun vulnerability

2011-04-10...

undisclosed

IDA 5.7 and 6.0 and early copies of 6.1

WinDbg autorun vulnerability

2012-03-19 19:50

Greg MacManus

IDA versions up to 6.2

Python autorun script vulnerability

2013-07-07 01:33

Masaaki Chida

IDA versions 6.3 and 6.4

Vulnerability in .net processor module

2013-07-15 at 19:14

Masaaki Chida

IDA versions up to 6.4

Windbg autorun vulnerability

2013-07-21 11:13

Masaaki Chida

IDA versions up to 6.4

Vulnerability in hint calculation

2014-01-05 at 01:07

George Hotz

IDA versions up to 6.5

Vulnerability in Mach-O loader

2014-06-09 17:52

Tadashi Kobayashi

IDA versions up to 6.6

Vulnerability in til file loading

2014-09-06 12:54

Mateusz Jurczyk

IDA versions up to 6.6

Multiple vulnerabilities

2014-11-19 23:34

Robert Święcki

IDA versions up to 6.6

Multiple vulnerabilities

2014-11-26 12:07

Mateusz Jurczyk

IDA versions up to 6.6

Multiple vulnerabilities

2014-12-03 01:59

Robert Święcki

IDA versions up to 6.6

Vulnerability in PE loader

2014-12-19 20:15

George Nosenko

IDA versions up to 6.6

Vulnerability in GDB debugger module

2015-01-08 20:48

Mateusz Jurczyk

IDA versions up to 6.7

Multiple vulnerabilities

2015-01-14 12:08

Mateusz Jurczyk

IDA versions up to 6.7

Multiple vulnerabilities

2015-01-27 21:08

Gynvael Coldwind and Mateusz Jurczyk

IDA versions up to 6.7

Multiple vulnerabilities

2015-11-17 14:36

Mateusz Jurczyk

IDA versions up to 6.8

Two vulnerabilities in the PE loader

2019-01-29 06:53

Ryota Shiga

IDA versions up to 7.2

Unintended HTML rendering in dialog boxes

2019-11-14 10:09

Ryota Shiga

IDA versions from 7.0 to 7.4

Vulnerability in debug servers

2020-07-31 06:00

Axel '0vercl0k' Souchet

IDA versions up to IDA 7.5

DWARF: The plugin could perform a use-after-free during stack unwinding on some DWARF input files

2020-08-06 08:30

Axel '0vercl0k' Souchet

IDA versions up to IDA 7.5

Multiple vulnerabilities

2020-08-17

Axel '0vercl0k' Souchet

IDA versions up to IDA 7.5

A few minor bugs in DWARF processing

2020-09-05

Lei Sun, Ocean University of China

IDA versions up to IDA 7.5

Multiple bugs in libdwarf

2020-09-08

Axel '0vercl0k' Souchet

IDA versions up to IDA 7.5

A dereference of a wild pointer when reading corrupted pdb files

2022-07-07

bee13oy of Kunlun Lab

IDA 7.7

A potential double-free during DWARF parsing

2023-02-27

Q1ngH3, afang5472, P1umer

IDA versions up to IDA 8.2

several OOB reads in type info deserialization

Thank you for participating in our bug bounty program!

Last updated