Slashdot Mirror
VeriSign Puts Flaw Bounty on Vista and IE7
rchris1172 writes "VeriSign's iDefense Labs has placed an $8,000 bounty on remote code execution holes in Windows Vista and Internet Explorer 7. As part of its its controversial pay-for-flaw VCP (Vulnerability Contributor Program), iDefense said it will pay the reward for each submitted vulnerability that allows an attacker to remotely exploit and execute arbitrary code on either of the two Microsoft products. In addition to the $8,000 award for the flaw, iDefense will pay between $2,000 and $4,000 for working exploit code that exploits the submitted vulnerability."
Only 8k for bugs which go on the market for 15-100k each exploit? Surely you jest, no self righteous will go for such a scam.
I remember that win 95 had a flaw that allowed anyone to DoS the computer over the network.
:)
This was hilarious to use at the LAN parties.
It would be good fun if someone found a similar flaw with vista and wrote a Linux client for it
1. Put bounty of $8000 on bugs for Vista and IE7.
2. Get friend to go work at MSFT.
.
4. PROFIT!
-- Tigger warning: This post may contain tiggers! --
use insider knowledge of their own software to extract trillions of dollars from VeriSign!
Come on, no-one actually thought people could use MS software for anything else did they?
1) Go get a job at Microsoft
2) Work some of my magic mojo on the next version of Windows
3) Quit my job at Microsoft
4) Profit!!!
Hobby Robotics
While others may scoff at 8,000 dollars, people are spending hundreds of hours on projects that are bringing in much less if anything. This is a good way to give people healthy motivation and reveal vulnerabilities early...before they make headlines.
So, not so stupid. Unlike most of the posts on this article so far.
clifgriffin > blog
"In addition to the $8,000 award for the flaw, iDefense will pay between $2,000 and $4,000 for working exploit code that exploits the submitted vulnerability."
The company spokesman also added they'll double the bounty if the submitter already used the exploit to build a botnet and triple it if promises to use it to send a metric assload of e-mails with the subject "ha-ha" to everyone@microsoft.com.
Did microsoft have a change of management already???
FTA:Microsoft typically frowns on the broker market for flaws in its products. "We do not believe that offering compensation for vulnerability information is the best way [researchers] can help protect customers," the company said during the last iDefense hacking challenge.
"Microsoft believes that responsible disclosure, which involves making sure that an update is available from software vendors the same day the vulnerability is first broadly known, is the best way to protect the end user," a Microsoft spokesperson, in Redmond, Wash., said at that time.
have you seen my sig? there are many others like it but none that are the same
iDefense ask you to provide all your background information, names, addressess, telephones, photocopies of IDs, etc. Most people who can find vulnerabilities will not be willing to sacrifice their privacy. When iDefence and alike will only ask for e-mail address to paypal funds to, I'd be first in line to talk to them.
$8000 might sound like a lot until you compare it to the stories we see of vulnerabilities being sold for $50,000 on underground sites. Why should I sell my findings to them for a much smaller amount?
0*0
00*
***
In Soviet Russia, vulnerability finds YOU! Seriously though, do you think those underground Russian hackers will haggle with VeriSign? They were selling for a lot more than $8,000!
$8000 for a bug report seems like a lot but I wonder if Microsoft's QA folks don't end up earning at least as much for any serious bugs they manage to uncover towards the end of development (salary:bugs ratio, that is). And at this point, it should take a very serious amount of effort to uncover a big vulnerability (well, hopefully), perhaps such that $8000 isn't even worth the time for some.
;-) So, yeah haha big plot by Microsoft to get billions from VeriSign, but not really. The only people that will profit from this IMO are poor computer hackers or IT folks who somehow happened to be using a buggy feature in Vista during work and noticed it.
By the way it would not be that great of an idea for MS employees to go around submitting bugs to VeriSign, particularly if they get published and traced back to some feature those employees were working on
I like basketball!!1!
If you read TFA you would see that they are only offering 6 8K rewards, its not unlimited, you cannot make trillions.
have you seen my sig? there are many others like it but none that are the same
Paying $8000 for each exploitable security flaw in Microsoft products is a quick way to put a company into bankruptcy! I noticed that the bounty only applies to the first six submissions, though, so VeriSign is only out $48000.
Who else here thinks that VeriSign will then turn around and sell the winning entries to the black market for $50000 each? hehe
Pointy Haired Boss: Our goal is to write bug-free software. I'll pay a ten dollar bonus for every bug you find and fix.
2 006/05/13/dilbert_bugFixMinivan.gif
Dilbert: Yahoo!
Alice: We're rich
Wally: Yes!!! Yes!!! Yes!!!
Pointy Haired Boss: I hope this drives the right behavior.
Wally: I'm gonna write me a new minivan this afternoon!
http://www.ourlocalstyle.com/images/uploadImages/
-Erik -- --This message was written using 73% post-consumer electrons--
Yeah I think they're seriously underestimating what a brand-new remote code execution flaw would be worth to the Russian mob. I'm pretty sure $8,000 is a lowball estimate.
Although I suppose you could play both ends against each other, if you were ballsy enough; sell it to Verisign and the mob. Too bad I have this silly fear of death.
"Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."
Considering that over half the world will be using those soon, and knowing MS, let's hope that: a. Normal users are too stupid to figure out the bugs that destroy their comps, b.VeriSign is very, very, rich, and c. We remember this opportunity, because if you're reading Slashdot, you should be able to detect and report all flaws you come about (in Vista, 500,000,000 per second.) Don't be lazy!
Actually, be lazy. I want to cash in.
$8000 is a substantial reward. However, though we're free to use any methods necessary, Darth wants them ALIVE. No disintegrations!
Sam! If you will let me be,
I will try them.
You will see.
Wouldn't internal Microsoft employees be able to look up bugs that only they know about and then sell those off to third parties to exploit?
Assuming they're not doing this already, that is.
I'd like to think not everyone involved in the "field" is a scumbag criminal in cahoots with the Russian mafia. Go ahead, prove me wrong! Despite the seemingly faceless nature of corporations, it's always human beings like you and me that get screwed in the end.
Frankly, I prefer the company of nitwits.
I think Microsoft should be the one who has to pay for the venerabilities. Maybe then they will have a little bit more of an incentive to produce secure code. The usual market force for this sort of thing (customers will drop the vendor for one who supplies the more secure solution) does not apply when you have a monopoly.
And get paid for it??
Hax0r1ng is getting better all the time!
And they said we were just a bunch of internet hooligans.
muahahhaha
Don't they know how much money you can make blasting Cialis advertisements on random people's computers? AdWare is much more lucrative. They need to step that bounty up. Remote execution exploits for Windows are like virtual gold.
Why not do this for all major software? If MS code is so much buggier than the rest then offering bounties on other code shouldn't cost a lot more than, and we'd see fewer bugs all round.
Or sell it for $50,000 and then resell it again for $8000 + extra $4000 bonus. Not only will you be "helping", you'll also be screwing those adware vendors out of $50,000.
Is it even legal to look for possible holes anymore?
With all the legal issues and suits flying around, id be sort of afraid to admit i knew something.
---- Booth was a patriot ----
Would you get selling the exploit to some nefarious hoodwinks?
30K?
50k?
"If any question why we died, Tell them because our fathers lied."
B: "You exterminate insects, then?"
A: "Sort of. It involves looking in lots of holes. That's all I can say right now. I'm late for a meeting with Jabba."
... and then they built the supercollider.
What a cheap publicity stunt.
A 0day of this kind is worth at least twice that on the black market, mostly to the botnet creators who are the base of all the spam we get.
Assorted stuff I do sometimes: Lemuria.org
Determened, motivated hackers will do better testing than internal testers and cost less too! For each $8k prize issued there'd probably be a few hundred people each spending many hours. Cheap, very cheap!
Engineering is the art of compromise.
...to offset the winner's legal expenses. Do you get an additional prize if you are actually convicted?
If you can read this sig, you're too close.
...both Apple and Cisco are suing VeriSign for the use of iDefense in the name of their labs. Apple claims that it dilutes their brand identity, and Cisco claims that they've been selling "defense" hardware with the "i" trademark for years!
"perhaps the simply righteous will step up"
Yeah, and "the righteous" could code, then there wouldn't be any exploits in the first place. 8-).
-- Terry
Some are working with the Russian military.
If it is legal to do this, why not just legally auction it then? You'll get the best price and can set a minimum bid.
If it is illegal, wouldn't verisign be in a bit of a bother now offering to purchase such a thing?
That's been going on for years. There used to be companies offering $10,000 per exploit, so you spend a month furiously finding them, sell them 10-20 bugs, and you're set for the year. Apparently my boyfriend decided to support himself that way for a while O_o
look! it's a bird, it's a plane, it's....a girl? yes, a girl browsing Slashdot on Linux
..like for instance as a bribe to the ad-ware industry. It could seize development of ad-ware for hours, if not days!
Why make trillions when you could make . . . billions?
Why is a 3rd party doing this, instead of Microsoft? If they have such confidence in the security of their new software, I would think they would be open to such a thing. Seems like a win/win to me. Either they get big media attention for having secure software, or they get attention for having bugs, but they were fixed, and it looks like Microsoft was actually doing something to make that happen.
Attached is working exploits for 832 different new vulnerabilities in Microsoft Vista and IE7. Please send me my check for $8,320,000. Sincerely, Bob Smith Sr. Software Engineer bsmith@microsoft.com