Slashdot Mirror
Metasploit Launches Exploit Bounty Program
Trailrunner7 writes "The team behind the Metasploit Project is launching its own version of a bug bounty program: cash payouts for working exploits. The group is hoping to get exploit code for as many of its top 30 vulnerabilities as possible before the program expires later this summer. The amount of money paid for a working exploit module for Metasploit depends on the value of the vulnerability. A module for one of the vulnerabilities in the top five list — which includes a flaw in Google Chrome and another in the Windows DNS client — is worth $500. Modules for vulnerabilities in the separate top 25 list are worth $100 each under the rules."
Modules for vulnerabilities in the separate top 25 list are worth $100 each under the rules.
Unfortunately the bounties are being paid using Bitcoin.
#DeleteChrome
Considering google Is offering $1337 it really doesn't seem like a lot.
$1337 is enough money to buy a brand new computer. It's enough money to pay rent for a month. That's the kind of money that would make me invest the time.
And of course they need a system of determining who is working on what and some sort of reservation system. If I agree to write code, I don't want anyone else writing the same code. Anyway it's a start, and I hope more companies and websites start offering these kinds of bounties. They won't have any problem finding people looking to write exploit code in this economy.
Definitely good. Most of this exploit code looks trivial to write, just time consuming.
The more money they put up to allow people to make money, the more people they'll have writing exploit code.
My thoughts exactly. Mozilla and Google are offering about $3,000 for exploits and TippingPoint has got a whole multi-tiered points-scheme for them. Some of the exploits they want modules for look pretty complicated, and worth more than $100. But given that many people would contribute to Metasploit for free, I suppose its still a nice Bug Bounty experiment.
Julie