Re: [Full-disclosure] iDefense Q-1 2007 Challenge
I know someone who will pay significantly more per vulnerability against the
same targets.
On 1/10/07 12:27 PM, "contributor" <Contributor@xxxxxxxxxxxx> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Also available at:
> http://labs.idefense.com/vcp/challenge.php#more_q1+2007%3A+vulnerability+chall
> enge
*Challenge Focus: Remote Arbitrary Code Execution Vulnerabilities
> in
Vista & IE 7.0*
Both Microsoft Internet Explorer and Microsoft Windows
> dominate their
respective markets, and it is not surprising that the decision
> to
update to the current release of Internet Explorer 7.0 and/or Windows
Vista
> is fraught with uncertainty. Primary in the minds of IT
security
> professionals is the question of vulnerabilities that may be
present in these
> two groundbreaking products.
To help assuage this uncertainty, iDefense Labs
> is pleased to announce
the Q1, 2007 quarterly challenge.
Remote Arbitrary
> Code Execution Vulnerabilities in Vista and IE 7.0
Vulnerability
> Challenge:
iDefense will pay $8,000 for each submitted vulnerability that
> allows
an attacker to remotely exploit and execute arbitrary code on either
of
> these two products. Only the first submission for a given
vulnerability will
> qualify for the award, and iDefense will award no
more than six payments of
> $8000. If more than six submissions
qualify, the earliest six submissions
> (based on submission date and
time) will receive the award. The iDefense Team
> at VeriSign will be
responsible for making the final determination of whether
> or not a
submission qualifies for the award. The criteria for this phase
> of
the challenge are:
I) Technologies Covered:
- - Microsoft Internet
> Explorer 7.0
- - Microsoft Windows Vista
II) Vulnerability Challenge
> Ground Rules:
- - The vulnerability must be remotely exploitable and must
> allow
arbitrary code execution in a default installation of one of
> the
technologies listed above
- - The vulnerability must exist in the
> latest version of the
affected technology with all available patches/upgrades
> applied
- - 'RC' (Release candidate), 'Beta', 'Technology Preview'
> and
similar versions of the listed technologies are not included in
> this
challenge
- - The vulnerability must be original and not previously
> disclosed
either publicly or to the vendor by another party
- - The
> vulnerability cannot be caused by or require any additional
third party
> software installed on the target system
- - The vulnerability must not
> require additional social engineering
beyond browsing a malicious
> site
Working Exploit Challenge:
In addition to the $8000 award for the
> submitted vulnerability,
iDefense will pay from $2000 to $4000 for working
> exploit code that
exploits the submitted vulnerability. The arbitrary code
> execution
must be of an uploaded non-malicious payload. Submission of
> a
malicious payload is grounds for disqualification from this phase of
the
> challenge.
I) Technologies Covered:
- - Microsoft Internet Explorer 7.0
-
> - Microsoft Windows Vista
II) Working Exploit Challenge Ground
> Rules:
Working exploit code must be for the submitted vulnerability only
>
iDefense will not consider exploit code for existing vulnerabilities
or new
> vulnerabilities submitted by others. iDefense will consider
one and only one
> working exploit for each original vulnerability
submitted.
The minimum award
> for a working exploit is $2000. In addition to the
base award, additional
> amounts up to $4000 may be awarded based upon:
- - Reliability of the
> exploit
- - Quality of the exploit code
- - Readability of the exploit
> code
- - Documentation of the exploit code
-----BEGIN PGP
> SIGNATURE-----
Version: GnuPG v1.4.3 (MingW32)
Comment: Using GnuPG with
> Mozilla - http://enigmail.mozdev.org
>
iD8DBQFFpSHsYcX4JiqFDSgRAl+ZAJwMJaZoJ6zwd4m8qZfviOZnNNUVrACgpaTU
QkO9IXq+PsC6
> bMKg7j6Dwfw=
=N0am
-----END PGP
> SIGNATURE-----
_______________________________________________
Full-Disclosur
> e - We believe in it.
Charter:
> http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by
> Secunia - http://secunia.com/