Re: [Full-disclosure] iDefense Q-1 2007 Challenge

[Simon Smith <simon () snosoft com>]

I know someone who will pay significantly more per vulnerability against the
same targets. 


On 1/10/07 12:27 PM, "contributor" <Contributor () idefense com> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Also available at:


> http://labs.idefense.com/vcp/challenge.php#more_q1+2007%3A+vulnerability+chall
> enge

*Challenge Focus: Remote Arbitrary Code Execution Vulnerabilities
> in
Vista & IE 7.0*

Both Microsoft Internet Explorer and Microsoft Windows
> dominate their
respective markets, and it is not surprising that the decision
> to
update to the current release of Internet Explorer 7.0 and/or Windows
Vista
> is fraught with uncertainty.  Primary in the minds of IT
security
> professionals is the question of vulnerabilities that may be
present in these
> two groundbreaking products.

To help assuage this uncertainty, iDefense Labs
> is pleased to announce
the Q1, 2007 quarterly challenge.

Remote Arbitrary
> Code Execution Vulnerabilities in Vista and IE 7.0

Vulnerability
> Challenge:
iDefense will pay $8,000 for each submitted vulnerability that
> allows
an attacker to remotely exploit and execute arbitrary code on either
of
> these two products.  Only the first submission for a given
vulnerability will
> qualify for the award, and iDefense will award no
more than six payments of
> $8000.  If more than six submissions
qualify, the earliest six submissions
> (based on submission date and
time) will receive the award.  The iDefense Team
> at VeriSign will be
responsible for making the final determination of whether
> or not a
submission qualifies for the award.  The criteria for this phase
> of
the challenge are:

I) Technologies Covered:
- -    Microsoft Internet
> Explorer 7.0
- -    Microsoft Windows Vista

II) Vulnerability Challenge
> Ground Rules:
- -    The vulnerability must be remotely exploitable and must
> allow
arbitrary code execution in a default installation of one of
> the
technologies listed above
- -    The vulnerability must exist in the
> latest version of the
affected technology with all available patches/upgrades
> applied
- -    'RC' (Release candidate), 'Beta', 'Technology Preview'
> and
similar versions of the listed technologies are not included in
> this
challenge
- -    The vulnerability must be original and not previously
> disclosed
either publicly or to the vendor by another party
- -    The
> vulnerability cannot be caused by or require any additional
third party
> software installed on the target system
- -    The vulnerability must not
> require additional social engineering
beyond browsing a malicious
> site

Working Exploit Challenge:
In addition to the $8000 award for the
> submitted vulnerability,
iDefense will pay from $2000 to $4000 for working
> exploit code that
exploits the submitted vulnerability.  The arbitrary code
> execution
must be of an uploaded non-malicious payload.  Submission of
> a
malicious payload is grounds for disqualification from this phase of
the
> challenge.

I) Technologies Covered:
- -    Microsoft Internet Explorer 7.0
-
> -    Microsoft Windows Vista

II) Working Exploit Challenge Ground
> Rules:
Working exploit code must be for the submitted vulnerability only
> ­
iDefense will not consider exploit code for existing vulnerabilities
or new
> vulnerabilities submitted by others.  iDefense will consider
one and only one
> working exploit for each original vulnerability
submitted.

The minimum award
> for a working exploit is $2000.  In addition to the
base award, additional
> amounts up to $4000 may be awarded based upon:
- -    Reliability of the
> exploit
- -    Quality of the exploit code
- -    Readability of the exploit
> code
- -    Documentation of the exploit code


-----BEGIN PGP
> SIGNATURE-----
Version: GnuPG v1.4.3 (MingW32)
Comment: Using GnuPG with
> Mozilla - http://enigmail.mozdev.org

>
iD8DBQFFpSHsYcX4JiqFDSgRAl+ZAJwMJaZoJ6zwd4m8qZfviOZnNNUVrACgpaTU
QkO9IXq+PsC6
> bMKg7j6Dwfw=
=N0am
-----END PGP
> SIGNATURE-----

_______________________________________________
Full-Disclosur
> e - We believe in it.
Charter:
> http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by
> Secunia - http://secunia.com/