lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <5598cfa10701162038u41ba5b71xb7375cac1ad845fc@mail.gmail.com>
Date: Tue, 16 Jan 2007 22:38:54 -0600
From: "Mark Sec" <mark.sec@...il.com>
To: "ad@...poverflow.com" <mr.dovi@...il.com>
Cc: Untitled <full-disclosure@...ts.grok.org.uk>
Subject: Re: iDefense Q-1 2007 Challenge

All people black hat,  I agree with you KF I Defense low pay s0x!

- mark





On 16/01/07, ad@...poverflow.com <mr.dovi@...il.com> wrote:
>
> I agree with you KF , that's why I do not recommand iDEFENSE in my
> forum's footer since some times now.
> They are just playing on the fact they are alone , or they were alone
> for a long time on this market, and they do
> not wish to do any effort, making loads of dollars with us , to say
> clean , they sucks.
>
> AD
>
> K F (lists) wrote:
> > No offense to iDefense as I have used their services in the past... but
> > MY Q1 2007 Challenge to YOU is to start offering your researchers more
> > money in general! I've sold remotely exploitable bugs in random 3rd
> > party products for more $$ than you are offering for these Vista items
> > (see the h0n0 #3). I really think you guys are devaluing the exploit
> > market with your low offers... I've had folks mail me like WOW iDefense
> > offered me $800 for this remote exploit. Pfffttt not quite.
> >
> > We all know black hats are selling these sploits for <=$25k so why
> > should the legit folks settle for anything less? As an example the guys
> > at MOAB kicked around selling a Quicktime bug to iDefense but in the end
> > we decided it was not worth it due to low pay...
> >
> > Low Pay == Not getting disclosed via iDefense....
> >
> > -KF
> >
> >
> >
> >> I know someone who will pay significantly more per vulnerability
> against the
> >> same targets.
> >>
> >>
> >> On 1/10/07 12:27 PM, "contributor" <Contributor@...fense.com> wrote:
> >>
> >>
> >>
> >>> -----BEGIN PGP SIGNED MESSAGE-----
> >>>
> >>>
> >> Hash: SHA1
> >>
> >> Also available at:
> >>
> >>
> >>
> >>
> >>>
> http://labs.idefense.com/vcp/challenge.php#more_q1+2007%3A+vulnerability+chall
> >>> enge
> >>>
> >>>
> >> *Challenge Focus: Remote Arbitrary Code Execution Vulnerabilities
> >>
> >>
> >>> in
> >>>
> >>>
> >> Vista & IE 7.0*
> >>
> >> Both Microsoft Internet Explorer and Microsoft Windows
> >>
> >>
> >>> dominate their
> >>>
> >>>
> >> respective markets, and it is not surprising that the decision
> >>
> >>
> >>> to
> >>>
> >>>
> >> update to the current release of Internet Explorer 7.0 and/or Windows
> >> Vista
> >>
> >>
> >>> is fraught with uncertainty.  Primary in the minds of IT
> >>>
> >>>
> >> security
> >>
> >>
> >>> professionals is the question of vulnerabilities that may be
> >>>
> >>>
> >> present in these
> >>
> >>
> >>> two groundbreaking products.
> >>>
> >>>
> >> To help assuage this uncertainty, iDefense Labs
> >>
> >>
> >>> is pleased to announce
> >>>
> >>>
> >> the Q1, 2007 quarterly challenge.
> >>
> >> Remote Arbitrary
> >>
> >>
> >>> Code Execution Vulnerabilities in Vista and IE 7.0
> >>>
> >>>
> >> Vulnerability
> >>
> >>
> >>> Challenge:
> >>>
> >>>
> >> iDefense will pay $8,000 for each submitted vulnerability that
> >>
> >>
> >>> allows
> >>>
> >>>
> >> an attacker to remotely exploit and execute arbitrary code on either
> >> of
> >>
> >>
> >>> these two products.  Only the first submission for a given
> >>>
> >>>
> >> vulnerability will
> >>
> >>
> >>> qualify for the award, and iDefense will award no
> >>>
> >>>
> >> more than six payments of
> >>
> >>
> >>> $8000.  If more than six submissions
> >>>
> >>>
> >> qualify, the earliest six submissions
> >>
> >>
> >>> (based on submission date and
> >>>
> >>>
> >> time) will receive the award.  The iDefense Team
> >>
> >>
> >>> at VeriSign will be
> >>>
> >>>
> >> responsible for making the final determination of whether
> >>
> >>
> >>> or not a
> >>>
> >>>
> >> submission qualifies for the award.  The criteria for this phase
> >>
> >>
> >>> of
> >>>
> >>>
> >> the challenge are:
> >>
> >> I) Technologies Covered:
> >> - -    Microsoft Internet
> >>
> >>
> >>> Explorer 7.0
> >>>
> >>>
> >> - -    Microsoft Windows Vista
> >>
> >> II) Vulnerability Challenge
> >>
> >>
> >>> Ground Rules:
> >>>
> >>>
> >> - -    The vulnerability must be remotely exploitable and must
> >>
> >>
> >>> allow
> >>>
> >>>
> >> arbitrary code execution in a default installation of one of
> >>
> >>
> >>> the
> >>>
> >>>
> >> technologies listed above
> >> - -    The vulnerability must exist in the
> >>
> >>
> >>> latest version of the
> >>>
> >>>
> >> affected technology with all available patches/upgrades
> >>
> >>
> >>> applied
> >>>
> >>>
> >> - -    'RC' (Release candidate), 'Beta', 'Technology Preview'
> >>
> >>
> >>> and
> >>>
> >>>
> >> similar versions of the listed technologies are not included in
> >>
> >>
> >>> this
> >>>
> >>>
> >> challenge
> >> - -    The vulnerability must be original and not previously
> >>
> >>
> >>> disclosed
> >>>
> >>>
> >> either publicly or to the vendor by another party
> >> - -    The
> >>
> >>
> >>> vulnerability cannot be caused by or require any additional
> >>>
> >>>
> >> third party
> >>
> >>
> >>> software installed on the target system
> >>>
> >>>
> >> - -    The vulnerability must not
> >>
> >>
> >>> require additional social engineering
> >>>
> >>>
> >> beyond browsing a malicious
> >>
> >>
> >>> site
> >>>
> >>>
> >> Working Exploit Challenge:
> >> In addition to the $8000 award for the
> >>
> >>
> >>> submitted vulnerability,
> >>>
> >>>
> >> iDefense will pay from $2000 to $4000 for working
> >>
> >>
> >>> exploit code that
> >>>
> >>>
> >> exploits the submitted vulnerability.  The arbitrary code
> >>
> >>
> >>> execution
> >>>
> >>>
> >> must be of an uploaded non-malicious payload.  Submission of
> >>
> >>
> >>> a
> >>>
> >>>
> >> malicious payload is grounds for disqualification from this phase of
> >> the
> >>
> >>
> >>> challenge.
> >>>
> >>>
> >> I) Technologies Covered:
> >> - -    Microsoft Internet Explorer 7.0
> >> -
> >>
> >>
> >>> -    Microsoft Windows Vista
> >>>
> >>>
> >> II) Working Exploit Challenge Ground
> >>
> >>
> >>> Rules:
> >>>
> >>>
> >> Working exploit code must be for the submitted vulnerability only
> >>
> >>
> >>> ­
> >>>
> >>>
> >> iDefense will not consider exploit code for existing vulnerabilities
> >> or new
> >>
> >>
> >>> vulnerabilities submitted by others.  iDefense will consider
> >>>
> >>>
> >> one and only one
> >>
> >>
> >>> working exploit for each original vulnerability
> >>>
> >>>
> >> submitted.
> >>
> >> The minimum award
> >>
> >>
> >>> for a working exploit is $2000.  In addition to the
> >>>
> >>>
> >> base award, additional
> >>
> >>
> >>> amounts up to $4000 may be awarded based upon:
> >>>
> >>>
> >> - -    Reliability of the
> >>
> >>
> >>> exploit
> >>>
> >>>
> >> - -    Quality of the exploit code
> >> - -    Readability of the exploit
> >>
> >>
> >>> code
> >>>
> >>>
> >> - -    Documentation of the exploit code
> >>
> >>
> >> -----BEGIN PGP
> >>
> >>
> >>> SIGNATURE-----
> >>>
> >>>
> >> Version: GnuPG v1.4.3 (MingW32)
> >> Comment: Using GnuPG with
> >>
> >>
> >>> Mozilla - http://enigmail.mozdev.org
> >>>
> >>>
> >>
> >> iD8DBQFFpSHsYcX4JiqFDSgRAl+ZAJwMJaZoJ6zwd4m8qZfviOZnNNUVrACgpaTU
> >> QkO9IXq+PsC6
> >>
> >>
> >>> bMKg7j6Dwfw=
> >>>
> >>>
> >> =N0am
> >> -----END PGP
> >>
> >>
> >>> SIGNATURE-----
> >>>
> >>>
> >> _______________________________________________
> >> Full-Disclosur
> >>
> >>
> >>> e - We believe in it.
> >>>
> >>>
> >> Charter:
> >>
> >>
> >>> http://lists.grok.org.uk/full-disclosure-charter.html
> >>>
> >>>
> >> Hosted and sponsored by
> >>
> >>
> >>> Secunia - http://secunia.com/
> >>>
> >>>
> >> _______________________________________________
> >> Full-Disclosure - We believe in it.
> >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> >> Hosted and sponsored by Secunia - http://secunia.com/
> >>
> >>
> >>
> >
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > Hosted and sponsored by Secunia - http://secunia.com/
> >
> >
> >
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ