[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <001001c23e52$b22dedb0$b60416c3@winpc>
From: bacano at esoterica.pt (bacano)
Subject: IDEFENSE PAYING $$$ FOR VULNS
While for one 10% of the patch cost it's ok (the flop is you kiddo), for
other a 0day license should be on the way (that's why an agree from time to
time with MS it's hard to get?) ...
This are just GOOD examples of what security is this days ...
Probably after all Bill is the only one who is serious in this business,
because everybody knows what his company does and for what.
I'm back to my cave now, having pleasure with my pizzas and pastas ...
Bacano
Esoteric Pizza Reseach Team (CEO)
PS - sure next replies to the issue will be about egos ...
----- Original Message -----
From: "Georgi Guninski" <guninski@...inski.com>
To: <full-disclosure@...ts.netsys.com>
Sent: Wednesday, August 07, 2002 8:32 PM
Subject: Re: [Full-Disclosure] IDEFENSE PAYING $$$ FOR VULNS
> I got spammed with the same too.
> The URL is:
> http://www.idefense.com/contributor.html
>
> Isn't it time for some kind of "trade union" or a kind of "0day license
> agreement" so 0days cost more than just $400 and 0days don't be misused
for
> profit? :)
>
> georgi
>
> choose.a.username@...hmail.com wrote:
> > Just received this spam from Idefense $400 US for a 0 day. Good idea
but that's not enough. MiCrowSoft is quick to tell everyone it costs
$100,000 to create a patch. Idefense should pay 10% of that to make it
worthwhile.
> >
> > MONEY MONEY MONEY MONEY MONEY. Everyone's in it for a quick buck.
> >
> >
> > The iDEFENSE Vulnerability Contributor Program
> >
> > iDEFENSE is a global security intelligence company that proactively
monitors sources throughout the world ? from technical vulnerabilities and
hacker profiling to the global spread of viruses and other malicious code.
iALERT, our security intelligence service, provides decision-makers,
frontline security professionals and network administrators with timely
access to actionable intelligence and decision support on cyber-related
threats.
> >
> > iDEFENSE verifies vulnerabilities, examines the behavior of exploits and
other malicious code, and discovers new software/hardware weaknesses in a
controlled lab environment. We recognize that there is an abundance of
technical security knowledge concerning as-yet-undisclosed vulnerabilities,
exploits and malicious code that is constantly discovered and created by
individuals and security groups. Some of this information may see the light
of day on security mailing lists or are eventually disclosed as the result
of a post-mortem analysis of a compromised computer system.
> >
> > iDEFENSE's Vulnerability Contributor Program (VCP) is meant to
appropriately pays those who choose to provide advance information and
copies of vulnerabilities, exploits and malicious code that could be of
interest. Alternately, iDEFENSE can donate the funds to a charity of the
contributor?s choice in their name. The chart below gives an outline of the
maximum amount payable.
> >
> >
> > Number of Contributions Value per undisclosed vulnerability Value per
new exploit for previously disclosed vulnerability Value per undisclosed
vulnerability AND accompanying exploit
> > EVALUATION PHASE
> >
> > 1-3 up to $75 US up to $100 US up to $200 US
> > REGULAR CONTRIBUTOR
> >
> >>4 up to $175 US up to $200 US up to $400 US
> >
> >
> > The exact amount will depend on the following issues:
> >
> > ? The kind of information being shared (i.e. vulnerability or exploit).
> > ? How much detail is provided.
> > ? The potential severity level for the information shared.
> > ? What applications, operating systems, etc. are affected.
> > ? iDEFENSE verification.
> > ? What level of exclusivity, if any, for the data, is granted to
iDEFENSE (see below).
> > ? Number of users of the affected application.
> >
> > A sample vulnerability submission template is available here.
> >
> > The contributor provides iDEFENSE with at least one week before he or
she discloses the vulnerability and/or exploit via any public forum,
including mailing lists and websites. During that period, iDEFENSE will not
release the information to any public forum. However, reports sent to
iDEFENSE customers will credit the contributor for the report. If the
vendor(s) has not been contacted by the contributor at the time of
submission, iDEFENSE will work with the contributor in deciding who and how
the issue will be reported to the vendor. iDEFENSE discloses vulnerabilities
according to our Security Vulnerability Reporting Policy.
> >
> > Situations will occur where multiple contributors will provide
information about the same vulnerability in the same product. In this case,
the first contributor who provides information that can be validated by
iDEFENSE will be compensated; others will not.
> >
> > To elaborate on levels of exclusivity, two levels offer potential
contributors the ability to maximize their compensation:
> >
> > Level 1: One week exclusive advance notice (Additional US $50)
> > The contributor provides only iDEFENSE with any sort of advanced notice
about the vulnerability and/or exploit. Afterwards, contributors are free to
distribute via a public forum and/or contact the vendor themselves. iDEFENSE
will not release the information to any public forum. Contributors will be
referenced in all reports sent to iDEFENSE clients. In addition, if the
vendor has not been contacted by the contributor, iDEFENSE will work with
the contributor to determine the appropriate process. If iDEFENSE identifies
on any forum a vulnerability and/or exploit similar to the one being
verified by iDEFENSE, no compensation will be provided. The information and
rights will be returned to the contributor.
> >
> > Level 2: Relinquish disclosure rights (Additional US $75)
> > The contributor provides iDEFENSE with exclusive disclosure rights to
any vulnerability and/or exploit. He or she chooses to never post the
vulnerability information to any other forum. iDEFENSE may release the
information to a public forum and/or iDEFENSE clients. Contributors will be
referenced in all reports sent to iDEFENSE clients. In addition, if the vend
or has not been contacted by the contributor, iDEFENSE will work with the
contributor to determine the appropriate process. If iDEFENSE identifies on
any forum a vulnerability and/or exploit similar to the one that is being
verified by iDEFENSE, no compensation will be provided at all. The
information and rights will be returned to the contributor.
> >
> > Payment is sent to the contributor via PayPal when the following
conditions have been met:
> >
> > 1. The information has been verified to a reasonable degree by iDEFENSE.
> > 2. A type of remuneration and amount has been agreed upon by iDEFENSE
and the contributor(s) for the information or code sharing.
> > 3. Information disclosure issues and timing have been agreed upon by
iDEFENSE and the contributor(s).
> >
> > If iDEFENSE has received information from potential contributors, but
the above three issues cannot be resolved, iDEFENSE will not use the
information in any way, respecting the intellectual property and/or right of
discovery of the contributor.
> >
> > If you have questions or would like to sign up as a contributor to the
VCP, please send an e-mail to contributor@...fense.com.
> >
> >
> >
> > Communicate in total privacy.
> > Get your free encrypted email at https://www.hushmail.com/?l=2
> >
> > Looking for a good deal on a domain name?
http://www.hush.com/partners/offers.cgi?id=domainpeople
> >
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Full-Disclosure@...ts.netsys.com
> > http://lists.netsys.com/mailman/listinfo/full-disclosure
> >
> >
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Full-Disclosure@...ts.netsys.com
> http://lists.netsys.com/mailman/listinfo/full-disclosure
>
Powered by blists - more mailing lists