Re: [Full-disclosure] iDefense Q-1 2007 Challenge -I WILL BUY FOR MORE

[Simon Smith <simon () snosoft com>]

Amen!
    KF is 100% on the money. I can arrange the legitimate purchase of most
working exploits for significantly more money than iDefense, In some cases
over $75,000.00 per purchase. The company that I am working with has a
relationship with a legitimate buyer, all transactions are legal. If you're
interested contact me and we'll get the ball rolling.

-Simon
   

    $8000.00 USD is low!

On 1/16/07 12:29 PM, "K F (lists)" <kf_lists () digitalmunition com> wrote:

> No offense to iDefense as I have used their services in the past... but
> MY Q1 2007 Challenge to YOU is to start offering your researchers more
> money in general! I've sold remotely exploitable bugs in random 3rd
> party products for more $$ than you are offering for these Vista items
> (see the h0n0 #3). I really think you guys are devaluing the exploit
> market with your low offers... I've had folks mail me like WOW iDefense
> offered me $800 for this remote exploit. Pfffttt not quite.
>
> We all know black hats are selling these sploits for <=$25k so why
> should the legit folks settle for anything less? As an example the guys
> at MOAB kicked around selling a Quicktime bug to iDefense but in the end
> we decided it was not worth it due to low pay...
>
> Low Pay == Not getting disclosed via iDefense....
>
> -KF
>
>
> > I know someone who will pay significantly more per vulnerability against the
> > same targets. 
> >
> >
> > On 1/10/07 12:27 PM, "contributor" <Contributor () idefense com> wrote:
> >
> >   
> > > -----BEGIN PGP SIGNED MESSAGE-----
> > >     
> > Hash: SHA1
> >  
> > Also available at:
> >
> >
> >   
> > > http://labs.idefense.com/vcp/challenge.php#more_q1+2007%3A+vulnerability+cha
> > > ll
> > > enge
> > >     
> >
> > *Challenge Focus: Remote Arbitrary Code Execution Vulnerabilities
> >   
> > > in
> > >     
> > Vista & IE 7.0*
> >
> > Both Microsoft Internet Explorer and Microsoft Windows
> >   
> > > dominate their
> > >     
> > respective markets, and it is not surprising that the decision
> >   
> > > to
> > >     
> > update to the current release of Internet Explorer 7.0 and/or Windows
> > Vista
> >   
> > > is fraught with uncertainty.  Primary in the minds of IT
> > >     
> > security
> >   
> > > professionals is the question of vulnerabilities that may be
> > >     
> > present in these
> >   
> > > two groundbreaking products.
> > >     
> >
> > To help assuage this uncertainty, iDefense Labs
> >   
> > > is pleased to announce
> > >     
> > the Q1, 2007 quarterly challenge.
> >
> > Remote Arbitrary
> >   
> > > Code Execution Vulnerabilities in Vista and IE 7.0
> > >     
> >
> > Vulnerability
> >   
> > > Challenge:
> > >     
> > iDefense will pay $8,000 for each submitted vulnerability that
> >   
> > > allows
> > >     
> > an attacker to remotely exploit and execute arbitrary code on either
> > of
> >   
> > > these two products.  Only the first submission for a given
> > >     
> > vulnerability will
> >   
> > > qualify for the award, and iDefense will award no
> > >     
> > more than six payments of
> >   
> > > $8000.  If more than six submissions
> > >     
> > qualify, the earliest six submissions
> >   
> > > (based on submission date and
> > >     
> > time) will receive the award.  The iDefense Team
> >   
> > > at VeriSign will be
> > >     
> > responsible for making the final determination of whether
> >   
> > > or not a
> > >     
> > submission qualifies for the award.  The criteria for this phase
> >   
> > > of
> > >     
> > the challenge are:
> >
> > I) Technologies Covered:
> > - -    Microsoft Internet
> >   
> > > Explorer 7.0
> > >     
> > - -    Microsoft Windows Vista
> >
> > II) Vulnerability Challenge
> >   
> > > Ground Rules:
> > >     
> > - -    The vulnerability must be remotely exploitable and must
> >   
> > > allow
> > >     
> > arbitrary code execution in a default installation of one of
> >   
> > > the
> > >     
> > technologies listed above
> > - -    The vulnerability must exist in the
> >   
> > > latest version of the
> > >     
> > affected technology with all available patches/upgrades
> >   
> > > applied
> > >     
> > - -    'RC' (Release candidate), 'Beta', 'Technology Preview'
> >   
> > > and
> > >     
> > similar versions of the listed technologies are not included in
> >   
> > > this
> > >     
> > challenge
> > - -    The vulnerability must be original and not previously
> >   
> > > disclosed
> > >     
> > either publicly or to the vendor by another party
> > - -    The
> >   
> > > vulnerability cannot be caused by or require any additional
> > >     
> > third party
> >   
> > > software installed on the target system
> > >     
> > - -    The vulnerability must not
> >   
> > > require additional social engineering
> > >     
> > beyond browsing a malicious
> >   
> > > site
> > >     
> >
> > Working Exploit Challenge:
> > In addition to the $8000 award for the
> >   
> > > submitted vulnerability,
> > >     
> > iDefense will pay from $2000 to $4000 for working
> >   
> > > exploit code that
> > >     
> > exploits the submitted vulnerability.  The arbitrary code
> >   
> > > execution
> > >     
> > must be of an uploaded non-malicious payload.  Submission of
> >   
> > > a
> > >     
> > malicious payload is grounds for disqualification from this phase of
> > the
> >   
> > > challenge.
> > >     
> >
> > I) Technologies Covered:
> > - -    Microsoft Internet Explorer 7.0
> > -
> >   
> > > -    Microsoft Windows Vista
> > >     
> >
> > II) Working Exploit Challenge Ground
> >   
> > > Rules:
> > >     
> > Working exploit code must be for the submitted vulnerability only
> >   
> > > ­
> > >     
> > iDefense will not consider exploit code for existing vulnerabilities
> > or new
> >   
> > > vulnerabilities submitted by others.  iDefense will consider
> > >     
> > one and only one
> >   
> > > working exploit for each original vulnerability
> > >     
> > submitted.
> >
> > The minimum award
> >   
> > > for a working exploit is $2000.  In addition to the
> > >     
> > base award, additional
> >   
> > > amounts up to $4000 may be awarded based upon:
> > >     
> > - -    Reliability of the
> >   
> > > exploit
> > >     
> > - -    Quality of the exploit code
> > - -    Readability of the exploit
> >   
> > > code
> > >     
> > - -    Documentation of the exploit code
> >
> >
> > -----BEGIN PGP
> >   
> > > SIGNATURE-----
> > >     
> > Version: GnuPG v1.4.3 (MingW32)
> > Comment: Using GnuPG with
> >   
> > > Mozilla - http://enigmail.mozdev.org
> > >     
> >
> >   
> > iD8DBQFFpSHsYcX4JiqFDSgRAl+ZAJwMJaZoJ6zwd4m8qZfviOZnNNUVrACgpaTU
> > QkO9IXq+PsC6
> >   
> > > bMKg7j6Dwfw=
> > >     
> > =N0am
> > -----END PGP
> >   
> > > SIGNATURE-----
> > >     
> >
> > _______________________________________________
> > Full-Disclosur
> >   
> > > e - We believe in it.
> > >     
> > Charter:
> >   
> > > http://lists.grok.org.uk/full-disclosure-charter.html
> > >     
> > Hosted and sponsored by
> >   
> > > Secunia - http://secunia.com/
> > >     
> >
> >
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > Hosted and sponsored by Secunia - http://secunia.com/
> >
> >