Slashdot Mirror

← Back to Stories (view on slashdot.org)

Rewards of Up to $500,000 Offered for FreeBSD, OpenBSD, NetBSD, Linux Zero-Days (bleepingcomputer.com)

Posted by msmash on from the there-is-a-reward dept.

Exploit broker Zerodium is offering rewards of up to $500,000 for zero-days in UNIX-based operating systems like OpenBSD, FreeBSD, NetBSD, but also for Linux distros such as Ubuntu, CentOS, Debian, and Tails. From a report: The offer, first advertised via Twitter earlier this week, is available as part of the company's latest zero-day acquisition drive. Zerodium is known for buying zero-days and selling them to government agencies and law enforcement. The company runs a regular zero-day acquisition program through its website, but it often holds special drives with more substantial rewards when it needs zero-days of a specific category. The US-based company held a previous drive with increased rewards for Linux zero-days in February, with rewards going as high as $45,000. In another zero-day acquisition drive announced on Twitter this week, the company said it was looking again for Linux zero-days, but also for exploits targeting BSD systems. This time around, rewards can go up to $500,000, for the right exploit.

25 of 91 comments (clear)

  1. Meanwhile... by Joce640k · · Score: 3, Funny

    Meanwhile: Windows exploits are still only worth $2.

    --
    No sig today...
    1. Re:Meanwhile... by Anonymous Coward · · Score: 1

      Based on the table embedded in the article, they are more expensive than the Linux ones.

    2. Re:Meanwhile... by Joce640k · · Score: 1

      Full credit to Microsoft though, they used to be Ten-a-Penny.

      (And before that they were free: Outlook used to simply execute any code that arrived in your inbox)

      --
      No sig today...
  2. In other words by Opportunist · · Score: 1

    We already have more than enough for Windows and MacOS, no need to pay for anything there.

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    1. Re:In other words by gweihir · · Score: 3, Insightful

      Pretty much this. Nobody would pay _this_ much for exploits for anything that was easy to attack. There is a good chance they will not actually get many exploits and probably nothing at all in the higher classes. Otherwise they would not offer this much.

      It is funny however, how some completely clueless morons here think this somehow says these OSes are inferior or that exploits in this price-range will ever be used for mass-attacks.

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    2. Re:In other words by mnemotronic · · Score: 1

      You say "BSD" more than my preacher says "God" or "Jesus" or "Blessed Virgin Mary" combined. Almost as much as he says "I need a fu*king drink" or "get them pants off, boy". Not that it matters. I'm just sayin...

      --
      The Russians have won. They have made the world a cesspool of distrust, greed, fear and hate.
    3. Re:In other words by OrangeTide · · Score: 1

      BSD. the one true religion

      --
      “Common sense is not so common.” — Voltaire
    4. Re:In other words by zwarte+piet · · Score: 1

      But programming a vulnerability yourself is easy enough

  3. open source isn't worth the time investment by Anonymous Coward · · Score: 2, Insightful

    This makes me sad. People working on open source projects get nothing. Sometimes they get some money. Sometimes they get some fame. People who don't build anything, but find a hole, they are heroes, they get prizes, they are worshiped.

    If there is a commonly used open source library without hackable bugs, you won't even hear about the author who committed his/her own time to build reliable software.

    If someone finds a bug, then she will get some prize, and will be invited to a conference. And the library author will be publicly bashed as an idiot.

    Sometimes open source people don't even get mentions.

    I was working on a patch for a huge open source project once. I spent hours on that. Two other people helped me, they also spent some significant time on that. And we managed to implement this. Who was mentioned in the release changelog? The person who committed that. Then I stopped spending my precious time on such things like giving someone the credits for my work. I love programming, I work on my own projects instead.

    And all that makes me sad.

  4. The scary part by Anonymous Coward · · Score: 5, Insightful

    Being OSS systems, there's now real incentive for bad actors to try to INSERT "Zero day" exploits in to mainline code, putting yet even more pressure maintainers to try and keep them.

    1. Re:The scary part by Camel+Pilot · · Score: 1

      Yes.... Reminds me of Dilbert where the PHB announces a new bug bounty program and the software developers leave the meeting commenting that they need to get going as they were gonna write up a new car over the weekend.

  5. So, a new market emerges by what+about · · Score: 1

    Creating a zero day so obscure that nobody notices and then you sell it.
    Wondering if the price is the same even if you write the bug...

    now... let me see the quality of systemd code...

  6. Poettering says security isn't their job by raymorris · · Score: 3, Informative

    > now... let me see the quality of systemd code

    That's where I would go looking. Lennart Poettering has been pretty clear that his perspective is that it's not his job, or the job of the systemd developers, to write secure, robust code. It's the job of the annoying security people to point out the security issues and then convince him that the problem is so bad it absolutely must be fixed - even though that takes up time that could instead be used to make systemd bigger and more comprehensive.

    The last time I saw a similarly bad attitude about security was WordPress about 12 years ago. The leadership at WordPress got a better attitude after the media reported widespread exploits of exactly the kinds of exposures I had warned them about a couple years before.

    1. Re:Poettering says security isn't their job by Miser · · Score: 1

      even though that takes up time that could instead be used to make systemd bigger and more comprehensive

      Bigger and more invasive you mean..... :)

  7. Finally explains how Poettering earns an income by Anonymous Coward · · Score: 1

    Step 1) Create an init system riddled with vulnerabilities and bad code
    Step 2) ?
    Step 3) Profit!

    And now we know that step 2 is to sell them to Zerodium

  8. Comment removed by account_deleted · · Score: 5, Funny

    Comment removed based on user account deletion

  9. $20 for OS/2 Warp Zero-Days by martiniturbide · · Score: 2

    Here goes my bid !!!

  10. Pwnie award for "lamest vendor" by raymorris · · Score: 4, Informative

    This article has several links to Poettering responding to security bugs, and what he what he's (not) going to do to fix problems, or note any fixes in the changelings or commit messages. This is why he won the Pwnie award for lamest vendor response to security issues.

    https://www.theregister.co.uk/...

  11. Yeah sure by jens_n · · Score: 1

    0-day exploit in OpenBSD? Hahahaha

    1. Re:Yeah sure by Anonymous Coward · · Score: 2, Insightful

      0-day exploit in OpenBSD?

      Hahahaha

      I suppose the reason why OpenBSD has the record it has is that they don't laugh at questions like that.

  12. Re:Registered /.ers review of the Win64 model by OrangeTide · · Score: 1

    I do use APK's host file on all my systems at home by OrangeTide December 01 2017

    I've terminated my use of APK hosts. Too much spam from the creator.

    --
    “Common sense is not so common.” — Voltaire
  13. Re:Imagine you found a zero-day by OrangeTide · · Score: 1

    I'd sell it to them, collect their dirty money, and then publicly notify the right people.

    Depends on the government I guess. If it was sold to the Russian government then waking up with polonium poisoning is not worth $500k.

    Then maybe disappear for a while, heheheh!

    Spies and KGB agents that have defected still die of mysterious deaths sometimes years later, you'd think they would be experts in this. Russia's need for revenge is strong, Ramón Mercader found Leon Trotsky 10 years after his exile and put an ice axe into his head.

    --
    “Common sense is not so common.” — Voltaire
  14. Re:Oh well... apk by OrangeTide · · Score: 1

    * ... but @ least I'm on topic (stalling zero-day malware payloads) - you're not - I also keep another quote from you on how hosts files stall ads even in video streams too!

    Used to be effective with YouTube ads, but not any more. More due as a quirk with how YouTube/Google set up their content distribution than due to any special magic of hosts file.

    --
    “Common sense is not so common.” — Voltaire
  15. Re:Imagine you found a zero-day by OrangeTide · · Score: 1

    Seems like a risky game to play and I wouldn't do it. There are easier ways to make money.

    --
    “Common sense is not so common.” — Voltaire
  16. Re:Really? I find the opposite... apk by OrangeTide · · Score: 1

    Like I said, it doesn't work. There isn't really a way out with the latest YouTube architecture. I'm sure your hosts can block other video ads, especially on websites using a third party ad service. But there are several other hosts files that accomplish the same thing without using your specifically. The mechanism is pretty widely understood, and not significantly different than the RBL I use for spam filtering. (although that is distributed through DNS rather than through a file, but it's the same sort of data)

    I guess my complaints are: it's not a panacea (which is not a fair complaint, so sorry about that), your hosts file is not the only one out there.

    --
    “Common sense is not so common.” — Voltaire