Slashdot Mirror

← Back to Stories (view on slashdot.org)

$10k Bounty for Critical Windows Flaws

Posted by ryuzaki0 on from the rolling-in-the-benjamins dept.

An anonymous reader writes "iDefense, a Verisign company, is offering $10,000 to any researchers who find and report to it information on a previously unknown Windows flaw for which Microsoft later issues a "critical" advisory, according to a story over at Washingtonpost.com. Not really surprising, considering that Russian hacking groups are now paying thousands of dollars for exploits that attack unpatched holes in Windows. From the article: "Details of the flaw must be submitted exclusively to iDefense by March 31. There is no limit on the number of prizes that can be paid: if five researchers find and report five different Windows flaws for which Microsoft later issues critical advisories, all five will get paid...iDefense will change the focus of the challenge with each quarter -- the next challenge may focus on another vendor, or it may just center on particular class of vulnerabilities.""

30 of 138 comments (clear)

  1. Buy MSFT now by biocute · · Score: 5, Funny

    I mean, who better than Bill Gates himself to submit hundreds of thousands of Windows exploits and makes zillions of them?

    1. Design flawed OS
    2. Wait for bounty on flaws
    3. Submit flaws
    4. Issue "critical" advisories on those flaws
    5. Profit!!!

    Mind you, if the bounty is for announced "patch" instead of "advisory", it will be almost impossible for BG to claim the prize.

    --
    Virtual Betting on Facebook for non-geeks.
    1. Re:Buy MSFT now by borawjm · · Score: 2, Funny

      It's all a joke...

      On April 1st, iDefense will file for bankruptcy. Ha. Ha. "April Fools!"

  2. Vista! by Anonymous Coward · · Score: 5, Funny

    Now where's my check?

  3. I could use an extra 10k by Yaksha42 · · Score: 3, Funny

    It's times like this, when the rent is due, that I wish I knew more about hacking. :(

  4. They're calling it... by deathbyzen · · Score: 2, Funny

    Operation: Who Wants To Be A Millionaire?

  5. Remember though by saskboy · · Score: 4, Interesting

    If you're in the hunt, don't focus on Windows 3.1 or ME, since as of June 30, 2006 Windows will no longer be issuing critical warnings for either of those Operating Systems even if they know they exist. Well they might issue one out of the goodness of their hearts to encourage an upgrade to X...err Vista, but there will be no official patch.

    On second thought, maybe looking at Windows 3.0 coding errors would reveal flaws in Vista. After all, think of the WMF flaw...

    --
    Saskboy's blog is good. 9 out of 10 dentists agree.
  6. Can anybody say, "lawsuit"? by Anonymous Coward · · Score: 3, Insightful

    I can't imagine MS is gonna be too pleased with this.

    And they have a couple law-talkin guys on staff.

    1. Re:Can anybody say, "lawsuit"? by Uncle+Rummy · · Score: 2, Insightful

      Why not? iDefense doesn't just release the vulnerabilities unannounced or sit on them exploiting them for profit, they submit them to Microsoft Security and publish only after a patch has been released. If anything, Microsoft should be happy that somebody is providing independent researchers a financial incentive not to release 0-day vulnerabilities to public lists.

  7. Linux needs a similar plan. by MikeFM · · Score: 4, Interesting

    This is what Linux companies should be doing. Pay developers that find an exploit in Linux a couple thousand dollars and make sure the hole gets fixed quickly. Obviously then it becomes a race for the companies to have their own employees find and fix the holes before outside developers do the same. Maybe have some lesser (since they're already getting a paycheck) bounty available to their own employees that find the holes and fix them.

    As open as Linux is this kind of motivation could really bring in the eyeballs to make those holes shallow and get them patched up. Make the bounty $10,000 for critical bugs and maybe $2000 for lesser security bugs. If you get the kernel patched up then start working on libraries and then apps and by then it should be time to start looking at the kernel again.

    --
    At what price learning? At what cost wisdom? The price is a man's peace of mind, and the cost is his life.
    1. Re:Linux needs a similar plan. by GigsVT · · Score: 2, Informative

      Artifex does a bug bounty for ghostscript, but it's for patches, not for reports. $500 or $1000, depending on how critical a bug you fix.

      --
      I've had enough abrasive sigs. Kittens are cute and fuzzy.
    2. Re:Linux needs a similar plan. by freeweed · · Score: 2, Insightful

      Yeah, and considering the $10,000 applies to vulnerabilities rated as "critical", you'd hardly ever pay out.

      A "critical" Windows flaw is one that allows remote exploitation. Find me a Linux distro in the past 3 or 4 years that is remotely exploitable in a default configuration, and *I'll* pay you the bounty.

      --
      Endless arguments over trivial contradictions in books written by ignorant savages to explain thunder in the dark.
  8. $10 k isn't a lot for hackes by madnuke · · Score: 4, Insightful

    That isn't a lot when you could sell the exploit on the internet like the WMF exploit was a snip at $5000 each, think how many people bought that in the malicous website, porn internet, fake-anti spyware companies like Win Hound. Some how I don't think this will last long.

  9. Found it! by Fr05t · · Score: 5, Funny

    iexplore.exe

    You may send the prize money to PO Box 3872, Moncton, NB, Canada

  10. Shrewd business move for Verisign by Weaselmancer · · Score: 2, Insightful

    They're investing in the first corporate-sponsored botnet. Now you can give your spam relay the corporate sponsorship it's always been craving! For an added bonus, we'll throw in a few auth certificates if you decide to become an elite Platinum Botnet customer!

    Don't delay, act now! Really, we mean it. Because offer is only valid until Microsoft's next Critical Advisory.

    --
    Weaselmancer
    rediculous.
  11. In the words of Dilbert by gasmonso · · Score: 5, Funny

    Some Vista developer is saying to himself, "I'm gonna code me a minivan!"

    http://religiousfreaks.com/
  12. What if five people find the same flaw? by autopr0n · · Score: 4, Interesting

    I mean, couldn't someone find a flaw, get together with 10 of his friends, and everyone reports it independantly? What happens then?

    --
    autopr0n is like, down and stuff.
    1. Re:What if five people find the same flaw? by idef · · Score: 2, Informative

      Correct - "Only the initial submission for a given vulnerability will qualify for the reward. "
      http://labs.idefense.com/labs.php?show=21#a21

      Michael Sutton
      Director, iDefense Labs

  13. Free Press - Contest is a joke... by xxxJonBoyxxx · · Score: 4, Insightful
    "iDefense will change the focus of the challenge with each quarter -- the next challenge may focus on another vendor, or it may just center on particular class of vulnerabilities."

    Or, iDefense may never pay any of the $10K prizes, citing independent discovery, not-really-critical status or just the fact that Verisign knows how to say "fuck you" better than almost anyone. Instead, they'll just get shitloads of free press for their cheesy security contest and a couple of marks will sign up for and/or buy whatever it is that Verisign/iDefense is hawking today.

  14. Upcoming headline by Anonymous Coward · · Score: 5, Funny

    Microsoft patches 87,000 critical flaws. Verisign files for bankruptcy protection.

  15. Why only Windows? by feranick · · Score: 2, Interesting

    Maybe I am provocative... Anyway: when are we going to have similar initiatives for OSX or linux?

  16. Verisign?? by Rob+T+Firefly · · Score: 2, Insightful

    It's an interesting concept, but I wouldn't trust Verisign to get the tuna out of a can that had already been opened. I wonder what their deal is here.

    --
    Slashdot Burying Stories About Slashdot Media Owned
  17. Re:WTF? by mythosaz · · Score: 2, Insightful

    (a) There is no telling how many remain. Windows may be getting close to "tight" in terms of remote exploitability, or it may still have several gaping holes. RPC-based exploits (the "real" dangerous ones) seem to have been closed for a while. It's mostly overflows and breakouts now, and mostly on user-initiated processes. [User-initiated processes don't spread like wildfire inside of corporate networks, like RPC-type flaws. Dangerous, but not panic-level stuff...]

    (b) People pay for these exploits because if they can take advantage of them, they can continue to spread their spam and malware from and to unwitting, unwilling and unaware people. Turning thousands of PCs into your own private email relay stations is motivation. Installing scumware/adware/spyware on thousands more is motivation.

  18. Let's get the most obvious one out of the way by Anonymous Coward · · Score: 2, Funny

    Users.

    My prize may be donated to the Association for Smacking Stupid People Upside the Head.

  19. Simpler plan for MS by this+great+guy · · Score: 3, Funny
    I have a simpler plan for MS:
    1. Design flawed OS
    2. Sell flawed OS
    3. Profit !!!
    Any ressemblance to any situation, person, event, past, present and future is completely fortuitous.
  20. Clank go the handcuffs by TallMatthew · · Score: 2, Insightful
    "Here's your exploit, now where's my ten grand?"

    "Sir, you've just violated the DMCA by making our mistakes public. Off to jail you go."

  21. What about beta? by TopSpin · · Score: 2, Insightful

    If I discover an obscure remotely exploitable security flaw in a Microsoft beta product (thus, unlikely to lead to a "critical" advisory,) why should I not sit on it until a few months after release and get paid?

    --
    Lurking at the bottom of the gravity well, getting old
  22. Re:Windows research is clearly more profitable... by LordLucless · · Score: 4, Insightful

    There's no inherent security architecture protecting Firefox, Linux, OSX that doesn't also exist in Windows.

    That's total bollocks. Granted, the fact that windows is more popular than linux is *one* factor that discourages malware for linux, but it's far from the only one.

    Linux systems are designed to be run by users, and administered as root. Windows systems, by and large, are impossible to run as anything but root - many programs require root access to work properly, and Windows (up until recently) never had the equivelant of a linux sudo to get around that requirement. Windows developers have been encouraged for years to write programs dependant on root access. Execute permissions prevent accidental execution of malware on Linux, as does not having a stupid system of extensions which are so easily spoofed (especially when default windows behaviour is to hide recognized extensions!). The move over to NTFS was good, but it only really hit the public with XP. I still know many people using FAT-based systems. How long has Linux been running a permissions-based filesystem? There's a few architectural security advantages Linux has over windows. On the more abstract level, being open source gives Linux the potential to be more secure - it's hard to hide critical vulnerabilities in Linux, whereas MS has a history of doing so for windows.

    Firefox is another issue entirely; it's an application, not an OS. But comparing it to MS's Internet Explorer, it's far and away more secure. It doesn't install things behind the user's back, as MS IE does so very often. It doesn't allow the incredibly-insecure ActiveX components. I've never had a spyware infection or browser hijack simply by browsing in firefox. On my new laptop, however, I was browsing around using IE while I waited for firefox to download, and in between the time it took to start the download, and the time it had finished, IE had managed to install a little bugger called Aurora for me . Thanks IE!

    --
    Just because you're paranoid doesn't mean there isn't an invisible demon about to eat your face
  23. DMCA violation? by sl4shd0rk · · Score: 2, Interesting

    Do the world a great service by finding windows bugs and then take it up the ass for 15 years when Shyster H. Lawyer decides to prosecute under the dmca because you took apart some binaries. Don't agree? Why do you think symantec and friends didn't want to mess with the BMG fiasco? Same reason. Microsoft made this mess, let them straighten it out.

    --
    Join the Slashcott! Feb 10 thru Feb 17!
  24. I found a flaw!!! by Khyber · · Score: 3, Funny

    d:\setup.exe

    I'll take my ten grand now. Oh wait, I found another one!!

    explorer.exe

    There's twenty grand you owe me now!

    --
    Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
  25. Remote holes in Linux distros by StupidKatz · · Score: 2, Funny

    RedHat
    Mandrake
    Slackware (IIRC)

    ... and any other distro which enabled OpenSSH versions 2.3.1p1 through 3.3 by default.

    So, is that $10,000 per instance...? ;)