| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 16 Jan 2007 23:30:35 +0100 From: "ad@...poverflow.com" <mr.dovi@...il.com> To: "K F (lists)" <kf_lists@...italmunition.com> Cc: Untitled <full-disclosure@...ts.grok.org.uk> Subject: Re: iDefense Q-1 2007 Challenge I agree with you KF , that's why I do not recommand iDEFENSE in my forum's footer since some times now. They are just playing on the fact they are alone , or they were alone for a long time on this market, and they do not wish to do any effort, making loads of dollars with us , to say clean , they sucks. AD K F (lists) wrote: > No offense to iDefense as I have used their services in the past... but > MY Q1 2007 Challenge to YOU is to start offering your researchers more > money in general! I've sold remotely exploitable bugs in random 3rd > party products for more $$ than you are offering for these Vista items > (see the h0n0 #3). I really think you guys are devaluing the exploit > market with your low offers... I've had folks mail me like WOW iDefense > offered me $800 for this remote exploit. Pfffttt not quite. > > We all know black hats are selling these sploits for <=$25k so why > should the legit folks settle for anything less? As an example the guys > at MOAB kicked around selling a Quicktime bug to iDefense but in the end > we decided it was not worth it due to low pay... > > Low Pay == Not getting disclosed via iDefense.... > > -KF > > > >> I know someone who will pay significantly more per vulnerability against the >> same targets. >> >> >> On 1/10/07 12:27 PM, "contributor" <Contributor@...fense.com> wrote: >> >> >> >>> -----BEGIN PGP SIGNED MESSAGE----- >>> >>> >> Hash: SHA1 >> >> Also available at: >> >> >> >> >>> http://labs.idefense.com/vcp/challenge.php#more_q1+2007%3A+vulnerability+chall >>> enge >>> >>> >> *Challenge Focus: Remote Arbitrary Code Execution Vulnerabilities >> >> >>> in >>> >>> >> Vista & IE 7.0* >> >> Both Microsoft Internet Explorer and Microsoft Windows >> >> >>> dominate their >>> >>> >> respective markets, and it is not surprising that the decision >> >> >>> to >>> >>> >> update to the current release of Internet Explorer 7.0 and/or Windows >> Vista >> >> >>> is fraught with uncertainty. Primary in the minds of IT >>> >>> >> security >> >> >>> professionals is the question of vulnerabilities that may be >>> >>> >> present in these >> >> >>> two groundbreaking products. >>> >>> >> To help assuage this uncertainty, iDefense Labs >> >> >>> is pleased to announce >>> >>> >> the Q1, 2007 quarterly challenge. >> >> Remote Arbitrary >> >> >>> Code Execution Vulnerabilities in Vista and IE 7.0 >>> >>> >> Vulnerability >> >> >>> Challenge: >>> >>> >> iDefense will pay $8,000 for each submitted vulnerability that >> >> >>> allows >>> >>> >> an attacker to remotely exploit and execute arbitrary code on either >> of >> >> >>> these two products. Only the first submission for a given >>> >>> >> vulnerability will >> >> >>> qualify for the award, and iDefense will award no >>> >>> >> more than six payments of >> >> >>> $8000. If more than six submissions >>> >>> >> qualify, the earliest six submissions >> >> >>> (based on submission date and >>> >>> >> time) will receive the award. The iDefense Team >> >> >>> at VeriSign will be >>> >>> >> responsible for making the final determination of whether >> >> >>> or not a >>> >>> >> submission qualifies for the award. The criteria for this phase >> >> >>> of >>> >>> >> the challenge are: >> >> I) Technologies Covered: >> - - Microsoft Internet >> >> >>> Explorer 7.0 >>> >>> >> - - Microsoft Windows Vista >> >> II) Vulnerability Challenge >> >> >>> Ground Rules: >>> >>> >> - - The vulnerability must be remotely exploitable and must >> >> >>> allow >>> >>> >> arbitrary code execution in a default installation of one of >> >> >>> the >>> >>> >> technologies listed above >> - - The vulnerability must exist in the >> >> >>> latest version of the >>> >>> >> affected technology with all available patches/upgrades >> >> >>> applied >>> >>> >> - - 'RC' (Release candidate), 'Beta', 'Technology Preview' >> >> >>> and >>> >>> >> similar versions of the listed technologies are not included in >> >> >>> this >>> >>> >> challenge >> - - The vulnerability must be original and not previously >> >> >>> disclosed >>> >>> >> either publicly or to the vendor by another party >> - - The >> >> >>> vulnerability cannot be caused by or require any additional >>> >>> >> third party >> >> >>> software installed on the target system >>> >>> >> - - The vulnerability must not >> >> >>> require additional social engineering >>> >>> >> beyond browsing a malicious >> >> >>> site >>> >>> >> Working Exploit Challenge: >> In addition to the $8000 award for the >> >> >>> submitted vulnerability, >>> >>> >> iDefense will pay from $2000 to $4000 for working >> >> >>> exploit code that >>> >>> >> exploits the submitted vulnerability. The arbitrary code >> >> >>> execution >>> >>> >> must be of an uploaded non-malicious payload. Submission of >> >> >>> a >>> >>> >> malicious payload is grounds for disqualification from this phase of >> the >> >> >>> challenge. >>> >>> >> I) Technologies Covered: >> - - Microsoft Internet Explorer 7.0 >> - >> >> >>> - Microsoft Windows Vista >>> >>> >> II) Working Exploit Challenge Ground >> >> >>> Rules: >>> >>> >> Working exploit code must be for the submitted vulnerability only >> >> >>> >>> >>> >> iDefense will not consider exploit code for existing vulnerabilities >> or new >> >> >>> vulnerabilities submitted by others. iDefense will consider >>> >>> >> one and only one >> >> >>> working exploit for each original vulnerability >>> >>> >> submitted. >> >> The minimum award >> >> >>> for a working exploit is $2000. In addition to the >>> >>> >> base award, additional >> >> >>> amounts up to $4000 may be awarded based upon: >>> >>> >> - - Reliability of the >> >> >>> exploit >>> >>> >> - - Quality of the exploit code >> - - Readability of the exploit >> >> >>> code >>> >>> >> - - Documentation of the exploit code >> >> >> -----BEGIN PGP >> >> >>> SIGNATURE----- >>> >>> >> Version: GnuPG v1.4.3 (MingW32) >> Comment: Using GnuPG with >> >> >>> Mozilla - http://enigmail.mozdev.org >>> >>> >> >> iD8DBQFFpSHsYcX4JiqFDSgRAl+ZAJwMJaZoJ6zwd4m8qZfviOZnNNUVrACgpaTU >> QkO9IXq+PsC6 >> >> >>> bMKg7j6Dwfw= >>> >>> >> =N0am >> -----END PGP >> >> >>> SIGNATURE----- >>> >>> >> _______________________________________________ >> Full-Disclosur >> >> >>> e - We believe in it. >>> >>> >> Charter: >> >> >>> http://lists.grok.org.uk/full-disclosure-charter.html >>> >>> >> Hosted and sponsored by >> >> >>> Secunia - http://secunia.com/ >>> >>> >> _______________________________________________ >> Full-Disclosure - We believe in it. >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >> Hosted and sponsored by Secunia - http://secunia.com/ >> >> >> > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > > > _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists