Slashdot Mirror

← Back to Stories (view on slashdot.org)

$10k Bounty for Critical Windows Flaws

Posted by ryuzaki0 on from the rolling-in-the-benjamins dept.

An anonymous reader writes "iDefense, a Verisign company, is offering $10,000 to any researchers who find and report to it information on a previously unknown Windows flaw for which Microsoft later issues a "critical" advisory, according to a story over at Washingtonpost.com. Not really surprising, considering that Russian hacking groups are now paying thousands of dollars for exploits that attack unpatched holes in Windows. From the article: "Details of the flaw must be submitted exclusively to iDefense by March 31. There is no limit on the number of prizes that can be paid: if five researchers find and report five different Windows flaws for which Microsoft later issues critical advisories, all five will get paid...iDefense will change the focus of the challenge with each quarter -- the next challenge may focus on another vendor, or it may just center on particular class of vulnerabilities.""

15 of 138 comments (clear)

  1. Buy MSFT now by biocute · · Score: 5, Funny

    I mean, who better than Bill Gates himself to submit hundreds of thousands of Windows exploits and makes zillions of them?

    1. Design flawed OS
    2. Wait for bounty on flaws
    3. Submit flaws
    4. Issue "critical" advisories on those flaws
    5. Profit!!!

    Mind you, if the bounty is for announced "patch" instead of "advisory", it will be almost impossible for BG to claim the prize.

    --
    Virtual Betting on Facebook for non-geeks.
  2. Vista! by Anonymous Coward · · Score: 5, Funny

    Now where's my check?

  3. I could use an extra 10k by Yaksha42 · · Score: 3, Funny

    It's times like this, when the rent is due, that I wish I knew more about hacking. :(

  4. Remember though by saskboy · · Score: 4, Interesting

    If you're in the hunt, don't focus on Windows 3.1 or ME, since as of June 30, 2006 Windows will no longer be issuing critical warnings for either of those Operating Systems even if they know they exist. Well they might issue one out of the goodness of their hearts to encourage an upgrade to X...err Vista, but there will be no official patch.

    On second thought, maybe looking at Windows 3.0 coding errors would reveal flaws in Vista. After all, think of the WMF flaw...

    --
    Saskboy's blog is good. 9 out of 10 dentists agree.
  5. Can anybody say, "lawsuit"? by Anonymous Coward · · Score: 3, Insightful

    I can't imagine MS is gonna be too pleased with this.

    And they have a couple law-talkin guys on staff.

  6. Linux needs a similar plan. by MikeFM · · Score: 4, Interesting

    This is what Linux companies should be doing. Pay developers that find an exploit in Linux a couple thousand dollars and make sure the hole gets fixed quickly. Obviously then it becomes a race for the companies to have their own employees find and fix the holes before outside developers do the same. Maybe have some lesser (since they're already getting a paycheck) bounty available to their own employees that find the holes and fix them.

    As open as Linux is this kind of motivation could really bring in the eyeballs to make those holes shallow and get them patched up. Make the bounty $10,000 for critical bugs and maybe $2000 for lesser security bugs. If you get the kernel patched up then start working on libraries and then apps and by then it should be time to start looking at the kernel again.

    --
    At what price learning? At what cost wisdom? The price is a man's peace of mind, and the cost is his life.
  7. $10 k isn't a lot for hackes by madnuke · · Score: 4, Insightful

    That isn't a lot when you could sell the exploit on the internet like the WMF exploit was a snip at $5000 each, think how many people bought that in the malicous website, porn internet, fake-anti spyware companies like Win Hound. Some how I don't think this will last long.

  8. Found it! by Fr05t · · Score: 5, Funny

    iexplore.exe

    You may send the prize money to PO Box 3872, Moncton, NB, Canada

  9. In the words of Dilbert by gasmonso · · Score: 5, Funny

    Some Vista developer is saying to himself, "I'm gonna code me a minivan!"

    http://religiousfreaks.com/
  10. What if five people find the same flaw? by autopr0n · · Score: 4, Interesting

    I mean, couldn't someone find a flaw, get together with 10 of his friends, and everyone reports it independantly? What happens then?

    --
    autopr0n is like, down and stuff.
  11. Free Press - Contest is a joke... by xxxJonBoyxxx · · Score: 4, Insightful
    "iDefense will change the focus of the challenge with each quarter -- the next challenge may focus on another vendor, or it may just center on particular class of vulnerabilities."

    Or, iDefense may never pay any of the $10K prizes, citing independent discovery, not-really-critical status or just the fact that Verisign knows how to say "fuck you" better than almost anyone. Instead, they'll just get shitloads of free press for their cheesy security contest and a couple of marks will sign up for and/or buy whatever it is that Verisign/iDefense is hawking today.

  12. Upcoming headline by Anonymous Coward · · Score: 5, Funny

    Microsoft patches 87,000 critical flaws. Verisign files for bankruptcy protection.

  13. Simpler plan for MS by this+great+guy · · Score: 3, Funny
    I have a simpler plan for MS:
    1. Design flawed OS
    2. Sell flawed OS
    3. Profit !!!
    Any ressemblance to any situation, person, event, past, present and future is completely fortuitous.
  14. Re:Windows research is clearly more profitable... by LordLucless · · Score: 4, Insightful

    There's no inherent security architecture protecting Firefox, Linux, OSX that doesn't also exist in Windows.

    That's total bollocks. Granted, the fact that windows is more popular than linux is *one* factor that discourages malware for linux, but it's far from the only one.

    Linux systems are designed to be run by users, and administered as root. Windows systems, by and large, are impossible to run as anything but root - many programs require root access to work properly, and Windows (up until recently) never had the equivelant of a linux sudo to get around that requirement. Windows developers have been encouraged for years to write programs dependant on root access. Execute permissions prevent accidental execution of malware on Linux, as does not having a stupid system of extensions which are so easily spoofed (especially when default windows behaviour is to hide recognized extensions!). The move over to NTFS was good, but it only really hit the public with XP. I still know many people using FAT-based systems. How long has Linux been running a permissions-based filesystem? There's a few architectural security advantages Linux has over windows. On the more abstract level, being open source gives Linux the potential to be more secure - it's hard to hide critical vulnerabilities in Linux, whereas MS has a history of doing so for windows.

    Firefox is another issue entirely; it's an application, not an OS. But comparing it to MS's Internet Explorer, it's far and away more secure. It doesn't install things behind the user's back, as MS IE does so very often. It doesn't allow the incredibly-insecure ActiveX components. I've never had a spyware infection or browser hijack simply by browsing in firefox. On my new laptop, however, I was browsing around using IE while I waited for firefox to download, and in between the time it took to start the download, and the time it had finished, IE had managed to install a little bugger called Aurora for me . Thanks IE!

    --
    Just because you're paranoid doesn't mean there isn't an invisible demon about to eat your face
  15. I found a flaw!!! by Khyber · · Score: 3, Funny

    d:\setup.exe

    I'll take my ten grand now. Oh wait, I found another one!!

    explorer.exe

    There's twenty grand you owe me now!

    --
    Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.