Program Details

  1. How to apply: send your report to bugbounty@hex-rays.com. The report should include the POC code and a small description of the bug and its impact.

  2. We reserve the right to refuse a bounty payment if we believe the actions of the reporter have endangered the security of Hex-Rays' end users.

  3. The duration of the bounty program: undetermined. We reserve the right to close the program at any moment.

  4. What will be asked from the reporters: a proper and legal picture identification and bank account information within 30 days of the bug acknowledgement.

  5. Collective entries are allowed. The bounty will be paid to the person designated by the group.

     

Eligible Security Bugs

Bugs in Hex-Rays products (IDA and the Decompiler)

Security bugs in Hex-Rays code (not third-party code)

Original and previously unreported vulnerabilities

High or critical impact (RCE, privilege escalation, etc.)

Present in the latest public release

Work on clean, unmodified installation

Triggered without user interaction or during natural workflow

Not Eligible

Issues with our website

Bugs during explicit debugging sessions or script execution

Anti-debugging and similar tricks

Simple crashes and denial-of-service bugs

Bugs requiring binary patching or registry editing

Issues in third-party/contributed code

Reported vulnerabilities

Date
Reporter
Products
Description
2011-02-08 19:21
Stefan Esser
IDA 5.7 and 6.0
Vulnerability in Macho-O loader
2011-02-10 10:37
Alin Rad Pop
IDA 5.7 and 6.0
Vulnerability in the conversion of string encodings
2011-02-11...
Masaaki Chida
IDA 5.7 and 6.0
Multiple vulnerabilities
2011-02-20...
Masaaki Chida
IDA 5.7 and 6.0
Multiple vulnerabilities
2011-03-18...
undisclosed
IDA 5.7 and 6.0
Plugin autorun vulnerability
2011-04-10...
undisclosed
IDA 5.7 and 6.0 and early copies of 6.1
WinDbg autorun vulnerability
2012-03-19 19:50
Greg MacManus
IDA versions up to 6.2
Python autorun script vulnerability
2013-07-07 01:33
Masaaki Chida
IDA versions 6.3 and 6.4
Vulnerability in .net processor module
2013-07-15 at 19:14
Masaaki Chida
IDA versions up to 6.4
Windbg autorun vulnerability
2013-07-21 11:13
Masaaki Chida
IDA versions up to 6.4
Vulnerability in hint calculation
2014-01-05 at 01:07
George Hotz
IDA versions up to 6.5
Vulnerability in Mach-O loader
2014-06-09 17:52
Tadashi Kobayashi
IDA versions up to 6.6
Vulnerability in til file loading
2014-09-06 12:54
Mateusz Jurczyk
IDA versions up to 6.6
Multiple vulnerabilities
2014-11-19 23:34
Robert Święcki
IDA versions up to 6.6
Multiple vulnerabilities
2014-11-26 12:07
Mateusz Jurczyk
IDA versions up to 6.6
Multiple vulnerabilities
2014-12-03 01:59
Robert Święcki
IDA versions up to 6.6
Vulnerability in PE loader
2014-12-19 20:15
George Nosenko
IDA versions up to 6.6
Vulnerability in GDB debugger module
2015-01-08 20:48
Mateusz Jurczyk
IDA versions up to 6.7
Multiple vulnerabilities
2015-01-14 12:08
Mateusz Jurczyk
IDA versions up to 6.7
Multiple vulnerabilities
2015-01-27 21:08
Gynvael Coldwind and Mateusz Jurczyk
IDA versions up to 6.7
Multiple vulnerabilities
2015-11-17 14:36
Mateusz Jurczyk
IDA versions up to 6.8
Two vulnerabilities in the PE loader
2019-01-29 06:53
Ryota Shiga
IDA versions up to 7.2
Unintended HTML rendering in dialog boxes
2019-11-14 10:09
Ryota Shiga
IDA versions from 7.0 to 7.4
Vulnerability in debug servers
2020-07-31 06:00
Axel '0vercl0k' Souchet
IDA versions up to IDA 7.5
DWARF: The plugin could perform a use-after-free during stack unwinding on some DWARF input files
2020-08-06 08:30
Axel '0vercl0k' Souchet
IDA versions up to IDA 7.5
Multiple vulnerabilities
2020-08-17
Axel '0vercl0k' Souchet
IDA versions up to IDA 7.5
A few minor bugs in DWARF processing
2020-09-05
Lei Sun, Ocean University of China
IDA versions up to IDA 7.5
Multiple bugs in libdwarf
2020-09-08
Axel '0vercl0k' Souchet
IDA versions up to IDA 7.5
A dereference of a wild pointer when reading corrupted pdb files
2022-07-07
bee13oy of Kunlun Lab
IDA 7.7
A potential double-free during DWARF parsing
2023-02-27
Q1ngH3, afang5472, P1umer
IDA versions up to IDA 8.2
several OOB reads in type info deserialization
View all Vulnerabilities

Beta Program

Users with active IDA licenses can join our Beta program to get early access to new features and improvements.

How to Join

Log into the portal and click "Subscribe to the Beta Program" button

Beta access

Receive email invitations to upcoming Beta sessions

Requirements

Active IDA license required for participation

Join Beta Program

Security Bug Bounty

Help us make IDA and the Decompiler more secure by reporting security vulnerabilities and earn cash rewards.

Cash Rewards

Log into the portal and click "Subscribe to the Beta Program" button

Impact Focus

High and critical impact vulnerabilities are eligible

Active Program

Ongoing program with undetermined duration

Report Security Bug

Products

IDA Home
IDA Pro
IDA Free
IDA Classroom
IDA Pro OEM
Private Lumina Add-on
Teams Add-on
Training courses

Case studies

Malware Analysis & Digital Forensics
Vulnerability research & penetration testing
Dynamic Analysis & Debugging
Automotive Security
Interoperability
Software Assessments

Classroom

IDA Classroom Free
Classroom discount for IDA Pro

Resources

Documentation
Forum
Blog
Community plugins

Pricing

For organizations
For individuals
For education providers
Our reseller partners

Company

About us
Careers
Privacy notice
Terms of use
Cookies notice
Contact us

Connect with the community on

X Mastodon LinkedIn YouTube

© 2025 Copyright Hex-Rays