Slashdot Mirror

← Back to Stories (view on slashdot.org)

Rewards of Up to $500,000 Offered for FreeBSD, OpenBSD, NetBSD, Linux Zero-Days (bleepingcomputer.com)

Posted by msmash on from the there-is-a-reward dept.

Exploit broker Zerodium is offering rewards of up to $500,000 for zero-days in UNIX-based operating systems like OpenBSD, FreeBSD, NetBSD, but also for Linux distros such as Ubuntu, CentOS, Debian, and Tails. From a report: The offer, first advertised via Twitter earlier this week, is available as part of the company's latest zero-day acquisition drive. Zerodium is known for buying zero-days and selling them to government agencies and law enforcement. The company runs a regular zero-day acquisition program through its website, but it often holds special drives with more substantial rewards when it needs zero-days of a specific category. The US-based company held a previous drive with increased rewards for Linux zero-days in February, with rewards going as high as $45,000. In another zero-day acquisition drive announced on Twitter this week, the company said it was looking again for Linux zero-days, but also for exploits targeting BSD systems. This time around, rewards can go up to $500,000, for the right exploit.

4 of 91 comments (clear)

  1. open source isn't worth the time investment by Anonymous Coward · · Score: 2, Insightful

    This makes me sad. People working on open source projects get nothing. Sometimes they get some money. Sometimes they get some fame. People who don't build anything, but find a hole, they are heroes, they get prizes, they are worshiped.

    If there is a commonly used open source library without hackable bugs, you won't even hear about the author who committed his/her own time to build reliable software.

    If someone finds a bug, then she will get some prize, and will be invited to a conference. And the library author will be publicly bashed as an idiot.

    Sometimes open source people don't even get mentions.

    I was working on a patch for a huge open source project once. I spent hours on that. Two other people helped me, they also spent some significant time on that. And we managed to implement this. Who was mentioned in the release changelog? The person who committed that. Then I stopped spending my precious time on such things like giving someone the credits for my work. I love programming, I work on my own projects instead.

    And all that makes me sad.

  2. The scary part by Anonymous Coward · · Score: 5, Insightful

    Being OSS systems, there's now real incentive for bad actors to try to INSERT "Zero day" exploits in to mainline code, putting yet even more pressure maintainers to try and keep them.

  3. Re:In other words by gweihir · · Score: 3, Insightful

    Pretty much this. Nobody would pay _this_ much for exploits for anything that was easy to attack. There is a good chance they will not actually get many exploits and probably nothing at all in the higher classes. Otherwise they would not offer this much.

    It is funny however, how some completely clueless morons here think this somehow says these OSes are inferior or that exploits in this price-range will ever be used for mass-attacks.

    --
    Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
  4. Re:Yeah sure by Anonymous Coward · · Score: 2, Insightful

    0-day exploit in OpenBSD?

    Hahahaha

    I suppose the reason why OpenBSD has the record it has is that they don't laugh at questions like that.