lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <45AD0B85.8040006@digitalmunition.com>
Date: Tue, 16 Jan 2007 12:29:41 -0500
From: "K F (lists)" <kf_lists@...italmunition.com>
To: Simon Smith <simon@...soft.com>
Cc: contributor <Contributor@...fense.com>,
	Untitled <full-disclosure@...ts.grok.org.uk>,
	bugtraq@...urityfocus.com
Subject: Re: [Full-disclosure] iDefense Q-1 2007 Challenge

No offense to iDefense as I have used their services in the past... but 
MY Q1 2007 Challenge to YOU is to start offering your researchers more 
money in general! I've sold remotely exploitable bugs in random 3rd 
party products for more $$ than you are offering for these Vista items 
(see the h0n0 #3). I really think you guys are devaluing the exploit 
market with your low offers... I've had folks mail me like WOW iDefense 
offered me $800 for this remote exploit. Pfffttt not quite.

We all know black hats are selling these sploits for <=$25k so why 
should the legit folks settle for anything less? As an example the guys 
at MOAB kicked around selling a Quicktime bug to iDefense but in the end 
we decided it was not worth it due to low pay...

Low Pay == Not getting disclosed via iDefense....

-KF


> I know someone who will pay significantly more per vulnerability against the
> same targets. 
>
>
> On 1/10/07 12:27 PM, "contributor" <Contributor@...fense.com> wrote:
>
>   
>> -----BEGIN PGP SIGNED MESSAGE-----
>>     
> Hash: SHA1
>  
> Also available at:
>
>
>   
>> http://labs.idefense.com/vcp/challenge.php#more_q1+2007%3A+vulnerability+chall
>> enge
>>     
>
> *Challenge Focus: Remote Arbitrary Code Execution Vulnerabilities
>   
>> in
>>     
> Vista & IE 7.0*
>
> Both Microsoft Internet Explorer and Microsoft Windows
>   
>> dominate their
>>     
> respective markets, and it is not surprising that the decision
>   
>> to
>>     
> update to the current release of Internet Explorer 7.0 and/or Windows
> Vista
>   
>> is fraught with uncertainty.  Primary in the minds of IT
>>     
> security
>   
>> professionals is the question of vulnerabilities that may be
>>     
> present in these
>   
>> two groundbreaking products.
>>     
>
> To help assuage this uncertainty, iDefense Labs
>   
>> is pleased to announce
>>     
> the Q1, 2007 quarterly challenge.
>
> Remote Arbitrary
>   
>> Code Execution Vulnerabilities in Vista and IE 7.0
>>     
>
> Vulnerability
>   
>> Challenge:
>>     
> iDefense will pay $8,000 for each submitted vulnerability that
>   
>> allows
>>     
> an attacker to remotely exploit and execute arbitrary code on either
> of
>   
>> these two products.  Only the first submission for a given
>>     
> vulnerability will
>   
>> qualify for the award, and iDefense will award no
>>     
> more than six payments of
>   
>> $8000.  If more than six submissions
>>     
> qualify, the earliest six submissions
>   
>> (based on submission date and
>>     
> time) will receive the award.  The iDefense Team
>   
>> at VeriSign will be
>>     
> responsible for making the final determination of whether
>   
>> or not a
>>     
> submission qualifies for the award.  The criteria for this phase
>   
>> of
>>     
> the challenge are:
>
> I) Technologies Covered:
> - -    Microsoft Internet
>   
>> Explorer 7.0
>>     
> - -    Microsoft Windows Vista
>
> II) Vulnerability Challenge
>   
>> Ground Rules:
>>     
> - -    The vulnerability must be remotely exploitable and must
>   
>> allow
>>     
> arbitrary code execution in a default installation of one of
>   
>> the
>>     
> technologies listed above
> - -    The vulnerability must exist in the
>   
>> latest version of the
>>     
> affected technology with all available patches/upgrades
>   
>> applied
>>     
> - -    'RC' (Release candidate), 'Beta', 'Technology Preview'
>   
>> and
>>     
> similar versions of the listed technologies are not included in
>   
>> this
>>     
> challenge
> - -    The vulnerability must be original and not previously
>   
>> disclosed
>>     
> either publicly or to the vendor by another party
> - -    The
>   
>> vulnerability cannot be caused by or require any additional
>>     
> third party
>   
>> software installed on the target system
>>     
> - -    The vulnerability must not
>   
>> require additional social engineering
>>     
> beyond browsing a malicious
>   
>> site
>>     
>
> Working Exploit Challenge:
> In addition to the $8000 award for the
>   
>> submitted vulnerability,
>>     
> iDefense will pay from $2000 to $4000 for working
>   
>> exploit code that
>>     
> exploits the submitted vulnerability.  The arbitrary code
>   
>> execution
>>     
> must be of an uploaded non-malicious payload.  Submission of
>   
>> a
>>     
> malicious payload is grounds for disqualification from this phase of
> the
>   
>> challenge.
>>     
>
> I) Technologies Covered:
> - -    Microsoft Internet Explorer 7.0
> -
>   
>> -    Microsoft Windows Vista
>>     
>
> II) Working Exploit Challenge Ground
>   
>> Rules:
>>     
> Working exploit code must be for the submitted vulnerability only
>   
>> ­
>>     
> iDefense will not consider exploit code for existing vulnerabilities
> or new
>   
>> vulnerabilities submitted by others.  iDefense will consider
>>     
> one and only one
>   
>> working exploit for each original vulnerability
>>     
> submitted.
>
> The minimum award
>   
>> for a working exploit is $2000.  In addition to the
>>     
> base award, additional
>   
>> amounts up to $4000 may be awarded based upon:
>>     
> - -    Reliability of the
>   
>> exploit
>>     
> - -    Quality of the exploit code
> - -    Readability of the exploit
>   
>> code
>>     
> - -    Documentation of the exploit code
>
>
> -----BEGIN PGP
>   
>> SIGNATURE-----
>>     
> Version: GnuPG v1.4.3 (MingW32)
> Comment: Using GnuPG with
>   
>> Mozilla - http://enigmail.mozdev.org
>>     
>
>   
> iD8DBQFFpSHsYcX4JiqFDSgRAl+ZAJwMJaZoJ6zwd4m8qZfviOZnNNUVrACgpaTU
> QkO9IXq+PsC6
>   
>> bMKg7j6Dwfw=
>>     
> =N0am
> -----END PGP
>   
>> SIGNATURE-----
>>     
>
> _______________________________________________
> Full-Disclosur
>   
>> e - We believe in it.
>>     
> Charter:
>   
>> http://lists.grok.org.uk/full-disclosure-charter.html
>>     
> Hosted and sponsored by
>   
>> Secunia - http://secunia.com/
>>     
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
>   

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ