Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: [Full-disclosure] iDefense Q-1 2007 Challenge -I WILL BUY FOR MORE

From: Jim Manico <jim () manico net>
Date: Tue, 16 Jan 2007 11:19:27 -1000
A legitimate buyer is not necessarily an ethical buyer. Demand to know
the buyer first, then do your homework. As always, proceed with caution.

- Jim

Simon Smith wrote:

Amen!
    KF is 100% on the money. I can arrange the legitimate purchase of most
working exploits for significantly more money than iDefense, In some cases
over $75,000.00 per purchase. The company that I am working with has a
relationship with a legitimate buyer, all transactions are legal. If you're
interested contact me and we'll get the ball rolling.

-Simon
   

    $8000.00 USD is low!

On 1/16/07 12:29 PM, "K F (lists)" <kf_lists () digitalmunition com> wrote:

  

No offense to iDefense as I have used their services in the past... but
MY Q1 2007 Challenge to YOU is to start offering your researchers more
money in general! I've sold remotely exploitable bugs in random 3rd
party products for more $$ than you are offering for these Vista items
(see the h0n0 #3). I really think you guys are devaluing the exploit
market with your low offers... I've had folks mail me like WOW iDefense
offered me $800 for this remote exploit. Pfffttt not quite.

We all know black hats are selling these sploits for <=$25k so why
should the legit folks settle for anything less? As an example the guys
at MOAB kicked around selling a Quicktime bug to iDefense but in the end
we decided it was not worth it due to low pay...

Low Pay == Not getting disclosed via iDefense....

-KF


    

I know someone who will pay significantly more per vulnerability against the
same targets. 


On 1/10/07 12:27 PM, "contributor" <Contributor () idefense com> wrote:

  
      

-----BEGIN PGP SIGNED MESSAGE-----
    
        

Hash: SHA1
 
Also available at:


  
      

http://labs.idefense.com/vcp/challenge.php#more_q1+2007%3A+vulnerability+cha
ll
enge
    
        

*Challenge Focus: Remote Arbitrary Code Execution Vulnerabilities
  
      

in
    
        

Vista & IE 7.0*

Both Microsoft Internet Explorer and Microsoft Windows
  
      

dominate their
    
        

respective markets, and it is not surprising that the decision
  
      

to
    
        

update to the current release of Internet Explorer 7.0 and/or Windows
Vista
  
      

is fraught with uncertainty.  Primary in the minds of IT
    
        

security
  
      

professionals is the question of vulnerabilities that may be
    
        

present in these
  
      

two groundbreaking products.
    
        

To help assuage this uncertainty, iDefense Labs
  
      

is pleased to announce
    
        

the Q1, 2007 quarterly challenge.

Remote Arbitrary
  
      

Code Execution Vulnerabilities in Vista and IE 7.0
    
        

Vulnerability
  
      

Challenge:
    
        

iDefense will pay $8,000 for each submitted vulnerability that
  
      

allows
    
        

an attacker to remotely exploit and execute arbitrary code on either
of
  
      

these two products.  Only the first submission for a given
    
        

vulnerability will
  
      

qualify for the award, and iDefense will award no
    
        

more than six payments of
  
      

$8000.  If more than six submissions
    
        

qualify, the earliest six submissions
  
      

(based on submission date and
    
        

time) will receive the award.  The iDefense Team
  
      

at VeriSign will be
    
        

responsible for making the final determination of whether
  
      

or not a
    
        

submission qualifies for the award.  The criteria for this phase
  
      

of
    
        

the challenge are:

I) Technologies Covered:
- -    Microsoft Internet
  
      

Explorer 7.0
    
        

- -    Microsoft Windows Vista

II) Vulnerability Challenge
  
      

Ground Rules:
    
        

- -    The vulnerability must be remotely exploitable and must
  
      

allow
    
        

arbitrary code execution in a default installation of one of
  
      

the
    
        

technologies listed above
- -    The vulnerability must exist in the
  
      

latest version of the
    
        

affected technology with all available patches/upgrades
  
      

applied
    
        

- -    'RC' (Release candidate), 'Beta', 'Technology Preview'
  
      

and
    
        

similar versions of the listed technologies are not included in
  
      

this
    
        

challenge
- -    The vulnerability must be original and not previously
  
      

disclosed
    
        

either publicly or to the vendor by another party
- -    The
  
      

vulnerability cannot be caused by or require any additional
    
        

third party
  
      

software installed on the target system
    
        

- -    The vulnerability must not
  
      

require additional social engineering
    
        

beyond browsing a malicious
  
      

site
    
        

Working Exploit Challenge:
In addition to the $8000 award for the
  
      

submitted vulnerability,
    
        

iDefense will pay from $2000 to $4000 for working
  
      

exploit code that
    
        

exploits the submitted vulnerability.  The arbitrary code
  
      

execution
    
        

must be of an uploaded non-malicious payload.  Submission of
  
      

a
    
        

malicious payload is grounds for disqualification from this phase of
the
  
      

challenge.
    
        

I) Technologies Covered:
- -    Microsoft Internet Explorer 7.0
-
  
      

-    Microsoft Windows Vista
    
        

II) Working Exploit Challenge Ground
  
      

Rules:
    
        

Working exploit code must be for the submitted vulnerability only
  
      

­
    
        

iDefense will not consider exploit code for existing vulnerabilities
or new
  
      

vulnerabilities submitted by others.  iDefense will consider
    
        

one and only one
  
      

working exploit for each original vulnerability
    
        

submitted.

The minimum award
  
      

for a working exploit is $2000.  In addition to the
    
        

base award, additional
  
      

amounts up to $4000 may be awarded based upon:
    
        

- -    Reliability of the
  
      

exploit
    
        

- -    Quality of the exploit code
- -    Readability of the exploit
  
      

code
    
        

- -    Documentation of the exploit code


-----BEGIN PGP
  
      

SIGNATURE-----
    
        

Version: GnuPG v1.4.3 (MingW32)
Comment: Using GnuPG with
  
      

Mozilla - http://enigmail.mozdev.org
    
        

  
iD8DBQFFpSHsYcX4JiqFDSgRAl+ZAJwMJaZoJ6zwd4m8qZfviOZnNNUVrACgpaTU
QkO9IXq+PsC6
  
      

bMKg7j6Dwfw=
    
        

=N0am
-----END PGP
  
      

SIGNATURE-----
    
        

_______________________________________________
Full-Disclosur
  
      

e - We believe in it.
    
        

Charter:
  
      

http://lists.grok.org.uk/full-disclosure-charter.html
    
        

Hosted and sponsored by
  
      

Secunia - http://secunia.com/
    
        

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  
      





  


-- 
Best Regards,
Jim Manico
GIAC GSEC Professional, Sun Certified Java Programmer
jim () manico net
808.652.3805
Previous By Date Next
Previous By Thread Next

Current thread: