<<< Date Index >>>     <<< Thread Index >>>

Re: [Full-disclosure] iDefense Q-1 2007 Challenge



No offense to iDefense as I have used their services in the past... but MY Q1 2007 Challenge to YOU is to start offering your researchers more money in general! I've sold remotely exploitable bugs in random 3rd party products for more $$ than you are offering for these Vista items (see the h0n0 #3). I really think you guys are devaluing the exploit market with your low offers... I've had folks mail me like WOW iDefense offered me $800 for this remote exploit. Pfffttt not quite.

We all know black hats are selling these sploits for <=$25k so why should the legit folks settle for anything less? As an example the guys at MOAB kicked around selling a Quicktime bug to iDefense but in the end we decided it was not worth it due to low pay...

Low Pay == Not getting disclosed via iDefense....

-KF


I know someone who will pay significantly more per vulnerability against the
same targets.

On 1/10/07 12:27 PM, "contributor" <Contributor@xxxxxxxxxxxx> wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Also available at:


http://labs.idefense.com/vcp/challenge.php#more_q1+2007%3A+vulnerability+chall
enge

*Challenge Focus: Remote Arbitrary Code Execution Vulnerabilities
in
Vista & IE 7.0*

Both Microsoft Internet Explorer and Microsoft Windows
dominate their
respective markets, and it is not surprising that the decision
to
update to the current release of Internet Explorer 7.0 and/or Windows
Vista
is fraught with uncertainty.  Primary in the minds of IT
security
professionals is the question of vulnerabilities that may be
present in these
two groundbreaking products.

To help assuage this uncertainty, iDefense Labs
is pleased to announce
the Q1, 2007 quarterly challenge.

Remote Arbitrary
Code Execution Vulnerabilities in Vista and IE 7.0

Vulnerability
Challenge:
iDefense will pay $8,000 for each submitted vulnerability that
allows
an attacker to remotely exploit and execute arbitrary code on either
of
these two products.  Only the first submission for a given
vulnerability will
qualify for the award, and iDefense will award no
more than six payments of
$8000.  If more than six submissions
qualify, the earliest six submissions
(based on submission date and
time) will receive the award.  The iDefense Team
at VeriSign will be
responsible for making the final determination of whether
or not a
submission qualifies for the award.  The criteria for this phase
of
the challenge are:

I) Technologies Covered:
- -    Microsoft Internet
Explorer 7.0
- -    Microsoft Windows Vista

II) Vulnerability Challenge
Ground Rules:
- -    The vulnerability must be remotely exploitable and must
allow
arbitrary code execution in a default installation of one of
the
technologies listed above
- -    The vulnerability must exist in the
latest version of the
affected technology with all available patches/upgrades
applied
- -    'RC' (Release candidate), 'Beta', 'Technology Preview'
and
similar versions of the listed technologies are not included in
this
challenge
- -    The vulnerability must be original and not previously
disclosed
either publicly or to the vendor by another party
- -    The
vulnerability cannot be caused by or require any additional
third party
software installed on the target system
- -    The vulnerability must not
require additional social engineering
beyond browsing a malicious
site

Working Exploit Challenge:
In addition to the $8000 award for the
submitted vulnerability,
iDefense will pay from $2000 to $4000 for working
exploit code that
exploits the submitted vulnerability.  The arbitrary code
execution
must be of an uploaded non-malicious payload.  Submission of
a
malicious payload is grounds for disqualification from this phase of
the
challenge.

I) Technologies Covered:
- -    Microsoft Internet Explorer 7.0
-
-    Microsoft Windows Vista

II) Working Exploit Challenge Ground
Rules:
Working exploit code must be for the submitted vulnerability only
­
iDefense will not consider exploit code for existing vulnerabilities
or new
vulnerabilities submitted by others.  iDefense will consider
one and only one
working exploit for each original vulnerability
submitted.

The minimum award
for a working exploit is $2000.  In addition to the
base award, additional
amounts up to $4000 may be awarded based upon:
- -    Reliability of the
exploit
- -    Quality of the exploit code
- -    Readability of the exploit
code
- -    Documentation of the exploit code


-----BEGIN PGP
SIGNATURE-----
Version: GnuPG v1.4.3 (MingW32)
Comment: Using GnuPG with
Mozilla - http://enigmail.mozdev.org

iD8DBQFFpSHsYcX4JiqFDSgRAl+ZAJwMJaZoJ6zwd4m8qZfviOZnNNUVrACgpaTU
QkO9IXq+PsC6
bMKg7j6Dwfw=
=N0am
-----END PGP
SIGNATURE-----

_______________________________________________
Full-Disclosur
e - We believe in it.
Charter:
http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by
Secunia - http://secunia.com/


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/