$16,000 Bounty for Sendmail, Apache Zero-Day Flaws

Famestay writes "Verisign's iDefense is putting up a $16,000 prize for any hacker who can find a remotely exploitable vulnerability in six critical Internet infrastructure applications. The bounty is for a zero-day code execution hole on the following Internet infrastructure technologies: Apache httpd, Berkeley Internet Name Domain (BIND) daemon, Sendmail SMTP daemon, OpenSSH sshd, Microsoft Internet Information (IIS) Server and Microsoft Exchange Server. 'Immunity founder Dave Aitel, who also purchases flaws and exploits for use in the CANVAS pen testing tool, says its doubtful iDefense will get any submissions from hackers. "It's very hard to exploit [those listed applications]," Aitel said. "IIS 6 hasn't had a public remotely exploitable bug in it. Ever." Several other hackers I spoke to had very much the same message, arguing that $16,000 can never equate to the amount of work/expertise required to find and exploit a hole in the six targeted technologies.'"

$16,000?

[FutureDomain]

*begins digging through code*

Chump change

[Plutonite]

$16000 is nothing. If you run a botnet you can have $10000 rolling in per week, alternatively if you have undisclosed vulnerabilities and the right contacts, you wont bother with the silly bot-masters who will get you discovered even though they will gladly pay anything from 50 - 150 grand for a remote hole. More likely, you would save up the good holes for high-paying, one shot mob deals against banks, and maybe government intelligence (they have a big budget for that in Soviet Russia and China). 16000 dollars? No, sorry, IIS is perfectly secure!!

PS: I am not some shady person who wears black hats. Hacking is too dangerous for a nice guy like me, even though almost anything can be done with time and dedication..even the functions that check string lengths to prevent overflows can be hacked :D