Slashdot Mirror

← Back to Stories (view on slashdot.org)

$16,000 Bounty for Sendmail, Apache Zero-Day Flaws

Posted by Zonk on from the step-right-up-rilly-big-shew dept.

Famestay writes "Verisign's iDefense is putting up a $16,000 prize for any hacker who can find a remotely exploitable vulnerability in six critical Internet infrastructure applications. The bounty is for a zero-day code execution hole on the following Internet infrastructure technologies: Apache httpd, Berkeley Internet Name Domain (BIND) daemon, Sendmail SMTP daemon, OpenSSH sshd, Microsoft Internet Information (IIS) Server and Microsoft Exchange Server. 'Immunity founder Dave Aitel, who also purchases flaws and exploits for use in the CANVAS pen testing tool, says its doubtful iDefense will get any submissions from hackers. "It's very hard to exploit [those listed applications]," Aitel said. "IIS 6 hasn't had a public remotely exploitable bug in it. Ever." Several other hackers I spoke to had very much the same message, arguing that $16,000 can never equate to the amount of work/expertise required to find and exploit a hole in the six targeted technologies.'"

5 of 173 comments (clear)

  1. $16,000 by Anonymous Coward · · Score: 5, Insightful

    arguing that $16,000 can never equate to the amount of work/expertise required to find and exploit a hole in the six targeted technologies. Clearly, the so called experts aren't aware of the multitudes of enterprising folks living outside the inflated Western wage spectrum. For someone a little more eastbound, that's a nice chunk of change.

    1. Re:$16,000 by Mr.+Underbridge · · Score: 4, Insightful

      arguing that $16,000 can never equate to the amount of work/expertise required to find and exploit a hole in the six targeted technologies. Clearly, the so called experts aren't aware of the multitudes of enterprising folks living outside the inflated Western wage spectrum. For someone a little more eastbound, that's a nice chunk of change.

      Not only that, but I'm assuming that claiming the prize and the advertising that goes with it - advertising your skills, that is - is the more valuable part. I'm imagining that the type of person who could claim the prize is interested in doing this sort of thing anyway. The prize would be a nice cash reward and a fantastic thing to put on a resume.

  2. Entrapment? by Anarchysoft · · Score: 4, Insightful

    Considering that creating exploits and/or publishing them is considered a criminal offense in some jurisdictions, I wonder how many submissions they'll get. Especially when a good unknown exploit could be worth far more than 16,000.

    --
    Hax-fu?
  3. Re:Bidding war. by MarkGriz · · Score: 4, Insightful

    "Do you sell it to those guys for $16K ... or do you see what Microsoft will pay you NOT to sell it to them?"

    Neither. You auction it off to the highest bidding spamgang. Or so I've heard.

    --
    Beauty is in the eye of the beerholder.
  4. Re:Already in real life. by Phleg · · Score: 4, Insightful

    What the fuck? Employee figures out way to save us $15 million. Employee parts with $1 million. Net savings: $14 million. So the company netted $14 million, and suddenly thinks this whole thing was a bad idea?

    --
    No comment.