Slashdot Mirror

← Back to Stories (view on slashdot.org)

$16,000 Bounty for Sendmail, Apache Zero-Day Flaws

Posted by Zonk on from the step-right-up-rilly-big-shew dept.

Famestay writes "Verisign's iDefense is putting up a $16,000 prize for any hacker who can find a remotely exploitable vulnerability in six critical Internet infrastructure applications. The bounty is for a zero-day code execution hole on the following Internet infrastructure technologies: Apache httpd, Berkeley Internet Name Domain (BIND) daemon, Sendmail SMTP daemon, OpenSSH sshd, Microsoft Internet Information (IIS) Server and Microsoft Exchange Server. 'Immunity founder Dave Aitel, who also purchases flaws and exploits for use in the CANVAS pen testing tool, says its doubtful iDefense will get any submissions from hackers. "It's very hard to exploit [those listed applications]," Aitel said. "IIS 6 hasn't had a public remotely exploitable bug in it. Ever." Several other hackers I spoke to had very much the same message, arguing that $16,000 can never equate to the amount of work/expertise required to find and exploit a hole in the six targeted technologies.'"

4 of 173 comments (clear)

  1. No, but... by TheSHAD0W · · Score: 3, Interesting

    It's a great reward if you've stumbled across a hole. Also, you may be able to collect multiple bounties from different organizations for the same hole. I think the bounty system has plenty of merit.

  2. Free money by ThanatosMinor · · Score: 5, Interesting

    I wonder if the current rise in prizes being offered for discovering vulnerabilities in code might lead to some sneaky behavior.

    1. Leave subtle flaw in your code
    2. Share information with distant acquaintance
    3. Profit!

  3. Re:IIS 6 by TheRaven64 · · Score: 3, Interesting

    I'd like to second the grandparent's plug of Lighttpd. It's very light-weight and easy to configure. Apache has some features it doesn't, but those are all module that I don't use, which just add to the amount of code that's running on my system and could be responsible for an exploit. Lighttpd seems to have been built with security in mind; it drops privileges and chroots itself at system start. If you want scripting language support, it talks to fastcgi servers, and those can run in their own chroots if you want even more paranoia.

    --
    I am TheRaven on Soylent News
  4. Re:IIS 6 by Bishop · · Score: 5, Interesting

    Lighttpd may seem to have been built with security in mind, but it hasn't. Superficially Lighttpd does all the right security things, but search for "lighttpd memory leak." Secure software does not leak memory.