As of August 22nd 2016, the Internet Bug Bounty is no longer awarding bounties for Flash. We 'd like to extend our sincere thanks to the researchers who have helped resolve almost 70 vulnerabilities over these last three years. Eliminating these vulnerabilities combined with significant engineering efforts from Adobe and further hardening from browser vendors, Flash exploitation no longer has the same impact as when we started. Thank you!

The Internet Bug Bounty will be shifting these resources towards the our bounties covering open source infrastructure.

If you have any questions, please contact us at panel@internetbugbounty.org

The Internet Bug Bounty is issuing rewards for vulnerabilities in the Adobe Flash Player. Flash Player is ubiquitously installed across the world’s desktop machines, and is one of the few browser plug-ins that is run by default across different browsers.

Qualifying vulnerability classes

• Remote code execution
• Same-origin-policy violations
• Flash-specific sandbox escapes (e.g. memory corruption in the Flash broker)

Qualifying host browsers

• Chrome
• Internet Explorer
• Firefox
• Safari on OS X
• Microsoft Office

Additional guidance

• Report your discovery directly to Adobe PSIRT __. Submit your finding here after the issue has been resolved and publicly acknowledged in a security advisory. At this time, we are only awarding vulnerabilities that have been disclosed directly to Adobe.
• The Panel is a group of your peers serving as volunteers. They have limited amount of free time to deeply investigate bugs, so they kindly request that you write clear, concise reports detailing the nature and impact of the finding.
• A sandbox escape is not required. We anticipate that most rewards will be for memory corruptions that manifest within the confines of a sandbox.
• For same-origin-policy violations, a plausible attack against a popular web site should be demonstrated.
• For memory corruption issues, likely exploitability must be shown. Demonstrating full exploitation is helpful but not required to qualify.
• Reports of browser-agnostic vulnerabilities are preferred, but any serious vulnerability is likely to qualify even if impact can only be demonstrated in one of the popular browsers.

Bounty guidance

• Minimum reward of $2,000, with $5,000+ being achievable with a good proof-of-concept and write-up.