Slashdot Mirror

← Back to Stories (view on slashdot.org)

$16,000 Bounty for Sendmail, Apache Zero-Day Flaws

Posted by Zonk on from the step-right-up-rilly-big-shew dept.

Famestay writes "Verisign's iDefense is putting up a $16,000 prize for any hacker who can find a remotely exploitable vulnerability in six critical Internet infrastructure applications. The bounty is for a zero-day code execution hole on the following Internet infrastructure technologies: Apache httpd, Berkeley Internet Name Domain (BIND) daemon, Sendmail SMTP daemon, OpenSSH sshd, Microsoft Internet Information (IIS) Server and Microsoft Exchange Server. 'Immunity founder Dave Aitel, who also purchases flaws and exploits for use in the CANVAS pen testing tool, says its doubtful iDefense will get any submissions from hackers. "It's very hard to exploit [those listed applications]," Aitel said. "IIS 6 hasn't had a public remotely exploitable bug in it. Ever." Several other hackers I spoke to had very much the same message, arguing that $16,000 can never equate to the amount of work/expertise required to find and exploit a hole in the six targeted technologies.'"

2 of 173 comments (clear)

  1. Free money by ThanatosMinor · · Score: 5, Interesting

    I wonder if the current rise in prizes being offered for discovering vulnerabilities in code might lead to some sneaky behavior.

    1. Leave subtle flaw in your code
    2. Share information with distant acquaintance
    3. Profit!

  2. Re:IIS 6 by Bishop · · Score: 5, Interesting

    Lighttpd may seem to have been built with security in mind, but it hasn't. Superficially Lighttpd does all the right security things, but search for "lighttpd memory leak." Secure software does not leak memory.