lorem ipsum dolor sit

Acquisition Campaigns

Home Campaigns


RCE on Microsoft Outlook on the web (OWA) Rewarded $200,000 USD

Status: Open

Zeronomicon will consider purchasing from you against payment of $200,000.00 USD (Two hundred thousand USD) an exclusive exploit that achieves remote code execution on a server running the latest version of Microsoft OWA (Outlook on the web / Outlook Web App / Outlook Web Access), relying solely on access to the OWA interface without knowledge of any user credentials.

The window to submit suitable proposals is open from its announcement. It will remain open until the November 30th 2016 12.00pm GMT unless terminated earlier or extended at the sole discretion of Zeronomicon. The window for submission may especially be terminated earlier if the total payout to vulnerability researchers reaches $600,000.00 USD (Six hundred thousands USD).


Your submission must contain the reliable exploit for one or more unknown, unpublished and unreported vulnerabilities (i.e.; zero-days) which are combined to allow remote code execution on OWA and bypass all exploit mitigations including: ASLR, DEP, stack and heap protections, process integrity levels, code signing, etc.

The exploit must lead to remote code execution of arbitrary compiled code on a server running OWA.

The initial attack vector must be via the OWA web interface or an interface or port which are part of the attack surface contributed by the OWA software. The exploited interface or port needs to be open by default when setting up a production OWA server and accessible from a remote location over the internet.

The exploitation process must be achievable remotely over the internet, reliably, silently, and without requiring any user interaction.

The exploit must not rely on any prior knowledge of the server except its address. All other information required for successful exploitation must be gathered as part of the exploit. Specifically, the exploit must not dependent on having valid user credentials for the server or any part of them.

The exploit must support and work reliably on the following server versions and operating systems ( 32 bit and 64 bit, as applicable ): Microsoft Exchange Server 2016 Standard or Enterprise Editions and Microsoft Exchange Server 2013 Standard or Enterprise Editions Service Pack 1 (SP1), running Windows Server 2016 Technical Preview 5 (Build 10.0.14300 (1511)) or Windows Server 2012 R2 6.3 (Build 9600).

If all of the above criteria are fully met, we will decide if we make you an offer to purchase the exploit from you. Please note that this decision is fully in our discretion and you have no claim to be awarded by us with such offer even if your submission meets the aforesaid criteria. Please also note that any such purchase from us will require that you have not disclosed, sold or offered the exploit to anyone else before or during our verification of your submission. If we purchase your exploit, the exploit will exclusively be our property and you shall not disclose it to anyone else. If we decide to not purchase your exploit, we will not disclose your information to a third party, provided we have not received this information from other sources prior to your submission, and you are free to use your exploit for any other purposes and projects. Any claims for remuneration, fees, compensation of effort or expenditures or other payments are excluded however.

All submissions must be made exclusively to Zeronomicon and must include the fully functioning exploit, its source code and a detailed whitepaper describing all the zero-day vulnerabilities and techniques used in the exploit.

This request is subject to the laws in force in Italy without recourse to its conflicts of Laws provisions. Any dispute resulting from a submission will exclusively be decided by the courts competent at the seat of Zeronomicon.