Corporate Profile

VUPEN is the leading provider of defensive and offensive cyber security intelligence and advanced vulnerability research.

While other companies in the vulnerability intelligence industry mainly act as brokers who buy vulnerabilities from third-party researchers and then sell them to their customers, all VUPEN's vulnerability intelligence results exclusively from our internal and in-house research efforts conducted by our team of world-class researchers.

VUPEN's offensive IT intrusion solutions and government grade exploits enable the Intelligence community and government agencies to achieve their offensive cyber operations and lawful intercept missions using VUPEN's industry-recognized vulnerability research and intelligence.

VUPEN's defensive security research enables governments and corporations to measure and manage risks, eliminate vulnerabilities before they can be exploited, and protect critical or national infrastructures and assets against known and unknown exploits and cyber threats.

VUPEN customers include worldwide governments and major corporations in finance, technology and manufacturing.


Awards & Industry Recognition


In March 2013, VUPEN has once again won the 1st place at the Pwn2Own 2013 security competition by creating and showing the first exploit for Internet Explorer 10 Classic (Desktop) and IE 10 Modern UI (Metro) on Microsoft Surface Pro running a Wndows 8 operating system. The exploit fully bypassed all Windows 8 security protections and exploit mitigation technologies including HiASLR, DEP, AntiROP and Protected Mode sandbox. VUPEN has also created and demonstrated various exploits for the latest versions of Mozilla Firefox, Adobe Flash Player, and Oracle Java.


In March 2012, VUPEN has won the 1st place at the Pwn2Own 2012 security competition by creating and showing extremely sophisticated zero-day exploits which fully compromised up-to-date Google Chrome and Microsoft Internet Explorer browsers, and bypassed all security protections and exploit mitigation technologies such as DEP, ASLR and sandboxes.

To demonstrate its in-depth knowledge of software vulnerabilities and advanced exploit development capabilities, VUPEN team has also written, on-site during the event and in less than 24 hours, 6 distinct code execution exploits for previously patched Internet Explorer, Firefox, and Safari vulnerabilities on Windows and Mac OS X operating systems.


In June 2011, VUPEN has been recognized as "Company of the Year 2011 in the Vulnerability Research Market" by Frost & Sullivan.

"VUPEN has made great strides in the vulnerability research market, proving that it is a top competitor against competing labs. Frost & Sullivan firmly believes that VUPEN's dedication and entrepreneurial drive to provide the highest quality security intelligence to meet the needs of the current security environment has proven VUPEN as a reputable and innovative vulnerability research company." says Frost & Sullivan research analyst Richard Martinez.


In March 2011, VUPEN has participated to and won the Pwn2Own 2011 security competition by discovering and exploiting a critical and previously unknown vulnerability in Apple Mac OS X Snow Leopard.

During this event, VUPEN has demonstrated its sophisticated and highly reliable exploits bypassing all security protections and exploit mitigation technologies.


Research Excellence

VUPEN Vulnerability Research Team (VRT) is the most active security team in the world. Additionally to analyzing and exploiting recently patched or publicly disclosed flaws, VUPEN security engineers and researchers are also dedicated to finding critical and unpatched vulnerabilities in prominent and widely deployed software created by Microsoft, Adobe, Sun, Apple, Oracle, Novell, and others.

VUPEN follows a commercial responsible disclosure policy by sharing its vulnerability research exclusively with its customers. VUPEN also reports all discovered vulnerabilities to the affected vendors under contract with VUPEN, and works with them to create a timetable pursuant to which the vulnerability information may be publicly disclosed.