Metasploit Launches Exploit Bounty Program

Trailrunner7 writes "The team behind the Metasploit Project is launching its own version of a bug bounty program: cash payouts for working exploits. The group is hoping to get exploit code for as many of its top 30 vulnerabilities as possible before the program expires later this summer. The amount of money paid for a working exploit module for Metasploit depends on the value of the vulnerability. A module for one of the vulnerabilities in the top five list — which includes a flaw in Google Chrome and another in the Windows DNS client — is worth $500. Modules for vulnerabilities in the separate top 25 list are worth $100 each under the rules."

First Bug

Here's the trace: System Error.

Enjoy.

Yours In Osh,
K. Trout

Re:First Bug

[Drethon]

The first thing that comes up with the Windows Phone... seems appropriate to the not so subtle hint here

How much for an exploit of Metasploit?

Something that would send IP address and personal information from the local hard drive to a central server?

Caveat

[93+Escort+Wagon]

Modules for vulnerabilities in the separate top 25 list are worth $100 each under the rules.

Unfortunately the bounties are being paid using Bitcoin.

Re:Caveat

Actually, AMEX gift cards.

I think they might need to offer more money

[elucido]

If the price is right, I and others might take them up on their offer.
$500 isn't enough money. I can't even buy a decent computer with that.

They need to offer at least $1000, and if it's an exploit that has to be exactly what they are looking for then it should be several thousand.

Re:I think they might need to offer more money

[0100010001010011]

Considering google Is offering $1337 it really doesn't seem like a lot.

Re:I think they might need to offer more money

[elucido]

$1337 is enough money to buy a brand new computer. It's enough money to pay rent for a month. That's the kind of money that would make me invest the time.

And of course they need a system of determining who is working on what and some sort of reservation system. If I agree to write code, I don't want anyone else writing the same code. Anyway it's a start, and I hope more companies and websites start offering these kinds of bounties. They won't have any problem finding people looking to write exploit code in this economy.

Re:I think they might need to offer more money

[Julie188]

My thoughts exactly. Mozilla and Google are offering about $3,000 for exploits and TippingPoint has got a whole multi-tiered points-scheme for them. Some of the exploits they want modules for look pretty complicated, and worth more than $100. But given that many people would contribute to Metasploit for free, I suppose its still a nice Bug Bounty experiment.

Julie

Re:I think they might need to offer more money

the more people writing the same exploits the better. first working sploit wins the cash. you lose if you're too slow, simple as that.

Re:I think they might need to offer more money

This is a completely false analogy. Mozilla, Google, and TippingPoint have bounty programs to buy *bugs* (not exploits) that have not been previously disclosed. This program is looking for *exploits* for bugs that have already been made public. While there's a huge difference in the amount of effort required to develop reliable exploit code versus simply identifying a vulnerability, the fact that the bugs are already public significantly decreases the value these exploits could fetch on alternative markets. Considering it's all in the name of community effort and everything will be released under a BSD license, it seems like this is supposed to be a way to reward contributors who might have written these exploits anyway and be just enough to convince potential contributors to pitch in, rather than a true "pay people for their work" scenario.

Re:I think they might need to offer more money

[elucido]

This is a completely false analogy. Mozilla, Google, and TippingPoint have bounty programs to buy *bugs* (not exploits) that have not been previously disclosed. This program is looking for *exploits* for bugs that have already been made public. While there's a huge difference in the amount of effort required to develop reliable exploit code versus simply identifying a vulnerability, the fact that the bugs are already public significantly decreases the value these exploits could fetch on alternative markets. Considering it's all in the name of community effort and everything will be released under a BSD license, it seems like this is supposed to be a way to reward contributors who might have written these exploits anyway and be just enough to convince potential contributors to pitch in, rather than a true "pay people for their work" scenario.

Nah, they are just doing this because they can get most of the code written by kids in India somewhere where $100 means something.

Re:I think they might need to offer more money

Where the heck do you live ? That would cover my rent for 2 weeks :-(

Re:I think they might need to offer more money

[ginbot462]

Not california or new england. But, would work in the south.

it's about time

[v1]

I'm amazed it took this long for this public of a bounty to get going. The blackhat market has traded in exploits for years now, and vendors have just now really started getting on the bug-bounty-bandwagon, it was only a matter of time before metasploit and other popular "other side of the fence" offers came up. I wonder what Zeus's authors are paying nowadays? And I wonder what exactly the results of competition in this sector will be? (good for us? bad for us? just a good show?)

Re:it's about time

[elucido]

Definitely good. Most of this exploit code looks trivial to write, just time consuming.

The more money they put up to allow people to make money, the more people they'll have writing exploit code.

Let the market decide the price

Surely the best thing for them to do would be to let the market decide the price. People can then 'bid' to be the person that received information about the vulnerability, and then other people can try to outbid them if they value that exploit more. Metasploit could then take a cut of the price, just like eBay.

Companies particularly interested in getting information first about exploits in their software could bid high to ensure their offer is always taken up first.

Re:Let the market decide the price

[elucido]

That is actually a very good idea.

Not bad, but more than $100.

[elucido]

If they are only paying $100 to write the code, that's just cheap.

When the bounties reach $1000, and there are plenty of bounties to choose from that could work.

Coders Intentionally Create a Flaw...Then Ca$h In?

I foresee programmers intentionally creating a flaw that will get their code on the list, then they'll "fix" it and get paid.

$100 bounty is an insult

I've heard about $20-40K (cashed in) bounties for real life exploits ...
$100 is an insult.

Re:Sounds like a honeypot

[elucido]

is it illegal to write an exploit?

Too Little

I like Metasploit and I know they haven't got the funds for big bounties but $100 is a joke. I can make that sort of money doing an hour of code review consulting work rather than spending a week trying to find some elusive BoF with zero-knowledge. Anything less than a few grand just isn't worth it when you can get a much greater return of investment of your effort elsewhere.

On Windows DNS ClientCache & more

I wrote a response to a MS Manager who posts here, Foredecker, more than 2++ yrs. ago here on this very site and in emails to he (as well as posts on MS' own sites to Mr. Steven Sinofsky):

This is specifically where he ADMITS that I was correct too, because using 0 creates a SMALLER HOSTS FILE TO PARSE, period:

http://slashdot.org/comments.pl?sid=1467692&cid=30384918

That was also in regards to problems with the local DNS cache, AND, in how Windows VISTA, 7, & Server 2008 have ruined a more efficient way to process HOSTS file data!

(By disallowing using 0 as a blocking "address", after the 12/09/2008 MS "Patch Tuesday" fix - Windows 2000/XP/Server 2003 can STILL USE 0!)

The point there was that using 0 as a blocking IP address, IS MORE EFFICIENT (especially in larger HOSTS files, which I elect to use to protect myself for more "layered security" vs. malware & such) vs. the larger & slower 0.0.0.0 or 127.0.0.1 (largest & slowest of them all - plus, it incurs the "loopback operation" as well, the other 2 just "blackhole")).

He said he'd get back to me on it... think he did? No. Was this corrected, so it operates as efficiently as Windows 2000/XP/Server 2003 do?? Again, no...

(Funniest part is, he is/was the SENIOR VP of the "Windows Client Performance Division", & you'd think he was interested in gaining greater performance out of them! Apparently not!)

You can point out corrections to these people ALL DAY, & you'll get the answer I did from him:

"You're micro-optimizing"

Funny answer that!

Especially from the guy who is/was SENIOR VP OF THE MICROSOFT WINDOWS CLIENT PERFORMANCE DIVISION, eh? Not!

APK

P.S.=> The local DNS client cache service CHOKES on larger HOSTS files... the structure it loads into is LIMITED IN SIZE/STATIC, & that's a problem (I am fairly certain) in it, for one thing (in addition to the ability to send it bogus data to make it screw up)... apk