[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] iDefense Q-1 2007 Challenge

No offense to iDefense as I have used their services in the past... but MY Q1 2007 Challenge to YOU is to start offering your researchers more money in general! I've sold remotely exploitable bugs in random 3rd party products for more $$ than you are offering for these Vista items (see the h0n0 #3). I really think you guys are devaluing the exploit market with your low offers... I've had folks mail me like WOW iDefense offered me $800 for this remote exploit. Pfffttt not quite.
We all know black hats are selling these sploits for <=$25k so why should the legit folks settle for anything less? As an example the guys at MOAB kicked around selling a Quicktime bug to iDefense but in the end we decided it was not worth it due to low pay... 

Low Pay == Not getting disclosed via iDefense....

-KF



I know someone who will pay significantly more per vulnerability against the
same targets. 

On 1/10/07 12:27 PM, "contributor" <suppressed> wrote:


-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA1
Also available at: 



http://labs.idefense.com/vcp/challenge.php#more_q1+2007%3A+vulnerability+chall
enge


*Challenge Focus: Remote Arbitrary Code Execution Vulnerabilities

in

Vista & IE 7.0*

Both Microsoft Internet Explorer and Microsoft Windows

dominate their

respective markets, and it is not surprising that the decision

to

update to the current release of Internet Explorer 7.0 and/or Windows
Vista

is fraught with uncertainty.  Primary in the minds of IT

security

professionals is the question of vulnerabilities that may be

present in these

two groundbreaking products.


To help assuage this uncertainty, iDefense Labs

is pleased to announce

the Q1, 2007 quarterly challenge.

Remote Arbitrary

Code Execution Vulnerabilities in Vista and IE 7.0


Vulnerability

Challenge:

iDefense will pay $8,000 for each submitted vulnerability that

allows

an attacker to remotely exploit and execute arbitrary code on either
of

these two products.  Only the first submission for a given

vulnerability will

qualify for the award, and iDefense will award no

more than six payments of

$8000.  If more than six submissions

qualify, the earliest six submissions

(based on submission date and

time) will receive the award.  The iDefense Team

at VeriSign will be

responsible for making the final determination of whether

or not a

submission qualifies for the award.  The criteria for this phase

of

the challenge are:

I) Technologies Covered:
- -    Microsoft Internet

Explorer 7.0

- -    Microsoft Windows Vista

II) Vulnerability Challenge

Ground Rules:

- -    The vulnerability must be remotely exploitable and must

allow

arbitrary code execution in a default installation of one of

the

technologies listed above
- -    The vulnerability must exist in the

latest version of the

affected technology with all available patches/upgrades

applied

- -    'RC' (Release candidate), 'Beta', 'Technology Preview'

and

similar versions of the listed technologies are not included in

this

challenge
- -    The vulnerability must be original and not previously

disclosed

either publicly or to the vendor by another party
- -    The

vulnerability cannot be caused by or require any additional

third party

software installed on the target system

- -    The vulnerability must not

require additional social engineering

beyond browsing a malicious

site


Working Exploit Challenge:
In addition to the $8000 award for the

submitted vulnerability,

iDefense will pay from $2000 to $4000 for working

exploit code that

exploits the submitted vulnerability.  The arbitrary code

execution

must be of an uploaded non-malicious payload.  Submission of

a

malicious payload is grounds for disqualification from this phase of
the

challenge.


I) Technologies Covered:
- -    Microsoft Internet Explorer 7.0
-

-    Microsoft Windows Vista


II) Working Exploit Challenge Ground

Rules:

Working exploit code must be for the submitted vulnerability only

­

iDefense will not consider exploit code for existing vulnerabilities
or new

vulnerabilities submitted by others.  iDefense will consider

one and only one

working exploit for each original vulnerability

submitted.

The minimum award

for a working exploit is $2000.  In addition to the

base award, additional

amounts up to $4000 may be awarded based upon:

- -    Reliability of the

exploit

- -    Quality of the exploit code
- -    Readability of the exploit

code

- -    Documentation of the exploit code


-----BEGIN PGP

SIGNATURE-----

Version: GnuPG v1.4.3 (MingW32)
Comment: Using GnuPG with

Mozilla - http://enigmail.mozdev.org
iD8DBQFFpSHsYcX4JiqFDSgRAl+ZAJwMJaZoJ6zwd4m8qZfviOZnNNUVrACgpaTU 
QkO9IXq+PsC6

bMKg7j6Dwfw=

=N0am
-----END PGP

SIGNATURE-----


_______________________________________________
Full-Disclosur

e - We believe in it.

Charter:

http://lists.grok.org.uk/full-disclosure-charter.html

Hosted and sponsored by

Secunia - http://secunia.com/



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Mail converted by mhonarc 2.6.15
This archive provided courtesy of JSW4.NET, Internet Hosting Services for Small Business.