Rainbow Six

Authorized security research only

Six seats. Most bounty wins.

Rainbow Six is an elite, six-seat security research collective. Candidates get the system, run it against published in-scope bounty programs, and compete on verified payouts. We share what we kill under written terms and after collected bounty receipts.

Compete for a seat Start-now contractor
6Seats. Never more. No shadow bench.
30dTryout window. Highest verified bounty wins.
1:1Methodology access. Every serious candidate gets the same system.
0Unauthorized probing tolerated. One hard-line breach ejects the candidacy.

The operating test

The team is small by design. Six is enough specialization to cover web, cloud, AI systems, crypto, reporting, and ops without becoming a bureaucracy. The bar is receipts, not credentials.

Authorized scope

Every work packet starts from a published bounty program or written authorization. Ambiguous work stops before testing starts.

Same machine

Serious candidates get the same source-card, duplicate-check, local-proof, and report-packet system. The competition is execution.

Receipts win

Accepted reports, verified payouts, low false-positive rate, and clean disclosure discipline decide who earns a seat.

The seat competition

We are not hiring resumes into seats. We are selecting operators by verified bounty wins, responsible-disclosure discipline, and the ability to kill weak hypotheses cheaply.

Seat 1Founder operator
Seat 2Open competition
Seat 3Open competition
Seat 4Open competition
Seat 5Open competition
Seat 6Open competition

You get the system

The playbook is the test. Candidates receive the source-card format, cost ledger, duplicate preflight, safe harness patterns, cheap-model ideation flow, and report template when they sign the seat agreement.

Scout cheap

Cheap-model breadth builds target maps, scope boundaries, prior-art checks, and weak-candidate kills before premium compute burns.

Verify hard

Dual-vendor adversarial checks, source cards, and local-only reproduction fixtures decide what gets promoted.

Fire clean

Submissions go through official bounty channels with concise impact, reproduction steps, constraints, and non-claims.

What winners do

  1. Pick a published bounty program. Stay inside scope. No ambiguous production activity.
  2. Run the Rainbow Six pipeline. Document every candidate killed and every dollar of compute spent.
  3. Submit only when verified. Good reports beat volume. Duplicates and weak claims are losses.
  4. Compete on receipts. Highest verified payout in 30 days wins the seat.

Paid start-now work

Contractor work is separate from seats. We pay humans now for bounded work that reduces bounty cost: source cards, duplicate checks, report cleanup, and queue ops.

Ops contractor

$30-50/hr, 20 hr/week. Recruiting, applicant tracking, platform paperwork, inbox triage, reply SLAs. Start within 48 hours.

Security scout

$25-150/source-card batch. Public-source scope mapping, prior art, duplicate checks, local-only hypothesis queues. Same-day trials.

Report closer

$150-500/accepted packet. Turn verified candidates into official-channel reports without overclaiming or leaking sensitive detail.

Hire the bench today

First dollar goes to bounded work. No contractor gets live-target authority on day one. We pay for scope discipline first, then promote only the people who can kill bad hypotheses cheaply.

Upwork

Post the $150 source-card trial, then convert the strongest operator to $30-50/hr for queue ownership.

Fiverr / OnlineJobs

Buy same-day public-source mapping from several candidates. Keep the scope narrow and compare output quality.

Direct candidates

Message public researchers one at a time. Reference their work. Ask whether the six-seat competition interests them.

First task

The smallest useful paid test is a source-card micro-trial. It tells us whether a candidate respects scope, writes clearly, finds prior art, and knows when not to touch production.

  1. Budget: $20 micro-trial, or $150 for the full 24-hour packet.
  2. Deliverable: in-scope map, out-of-scope map, duplicate links, three local-only hypotheses.
  3. Decision: kill, hold, or promote. No ambiguous middle.

Apply

Seat applications go to disclosure@rainbowsix.dev. Contractor applications go to recruiting@rainbowsix.dev.

Seat application

  • Strongest disclosure-platform handle
  • Best public or disclosed finding
  • First bounty program you would attack and why
  • Timezone and earliest start date

Contractor application

  • Role: ops, scout, or report closer
  • Hourly or per-packet rate
  • Availability this week
  • One example of security work you handled

What not to send

  • Secrets, keys, tokens, or private data
  • Exploit detail from private programs
  • Requests to test out of scope
  • Agency/team seat applications