Exploits Contributor Program

[full-disclosure () lists netsys com (iMoolah)]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Greetingz again,

1. We _are_ serious.  Very serious.  While our offer was written to
poke fun at iDefense's offer, we are definitely not joking.  And if
US$1000+ seems too high to believe, that's because

    (a) you and your research have been taken for granted from all
    around so far,

    (b) you're too easily satisfied by iDefense's offer, or

    (c) you just like PayPal.

2. Obviously, iMoolah is not the real name of our company.  And yes,
it is hosted on a free web site, using a free e-mail address, and all
the usual anonymity shebang.  But that's for a couple of reasons:

    (a) we don't want to reveal the true identity of our company,
    and registering a domain name, getting it securely hosted on
    astalavista.com, etc, wouldn't help, and

    (b) this program was set up in response to iDefense's offer,
    which we felt we had to counter quickly in order to retain
    our competitive edge. If we had had more time (and we still
    might), I could have cajoled my next door neighbor into
    registering the name for me, called in that favor from my friend
    in Russia who's got a web server, etc., etc.

3. To those who've responded to us so far -- we'll be getting in
touch with you. =)  For those who haven't, you could always wait for
the others to write in later telling you how their bank accounts have
suddenly grown a bit -- if they decide to let you on, of course.

4. For those of you who aren't able to or don't want to download our
PGP public key from our website, it's now available on the normal
keyservers.  What a bother.

-----BEGIN PGP SIGNATURE-----
Version: PGP 7.1.1

iQA/AwUBPVheCNyVqTa6ZWQTEQI+iACeNxdeSzQSPRJZX+vZb3tX2t1grzcAnjEK
0jtSf5mGbAQApp95z91nVpW2
=tPuL
-----END PGP SIGNATURE-----


----- Original Message -----
From: "iMoolah" <ecp () imoolah hotusa org>
To: <full-disclosure () lists netsys com>; "VulnDev"
<vuln-dev () securityfocus com>; "Bugtraq" <bugtraq () securityfocus com>;
<securityjobs () securityfocus com>
Sent: Monday, August 12, 2002 7:01 AM
Subject: [Full-disclosure] Exploits Contributor Program


> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Greetingz,
>
> iMoolah is pleased to announce the official launch of its Exploits
> Contributor Program (ECP). The ECP pays contributors very well for
> the advance and exclusive notification of exploit code and malicious
> code.
>
> iMoolah belives you might find our terms for contributing to the ECP
> very attractive. The following provides answers to some basic
> questions about the program:
>
> Q. How will it work?
> A. iMoolah understands the majority of security researchers are paid
> peanuts for publishing security research, and $400 for a fully
> working unpublished exploit just doesn't cut it; rather, it could be
> for any of a number of motivations, including the following:
>
>  * MONEY MONEY MONEY MONEY MONEY. Everyone's in it for a quick buck.
>  * Other more boring reasons that have nothing to do with moolah.
>
> The ECP is for those who may or may not want to have their research
> made public to the Internet community, but who would definitely like
> to be paid for doing the work.  The compensation will depend, among
> other things, on the following items:
>
>  * The kind of information being shared (i.e. local or root exploit)
>  * The amount of detail and analysis provided
>  * The potential severity level for the information shared
>  * The types of applications, OSes, and other software/hardware
> affected
>  * Verification by iMoolah
>  * The level of exclusivity for data granted to iMoolah
>  * Number of users of the affected application
>
> We don't want anything worth less than US$1000, and we won't pay you
> anything less either.  And if you've got something really good,
we'll
> give you much more than that.  Who said you have to stay poor?
>
> Q. Who should contribute to the ECP?
> A. The ECP is open to any individual, security research group or
> other entity.  That means YOU and your buddies.
>
> Q. Why are you launching this program?
> A. Many services charge clients for access without paying the
> original contributor. Under the iMoolah program, the contributor is
> compensated, iMoolah verifies the issue, and we only let the public
> know if you want us to.
>
> Q. Who gets the credit?
> A. The contributor is always credited for discovering the exploit
> information.
>
> Q. When can I contribute?
> The ECP is active. You are welcome to begin contributing today.
>
> To learn more, go to http://imoolah.hotusa.org/. If you have
> questions or would like to sign up as a contributor to the ECP,
> please contact us at ecp () imoolah hotusa org.
>
> -----BEGIN PGP SIGNATURE-----
> Version: PGP 7.1.1
>
> iQA/AwUBPVdUJdyVqTa6ZWQTEQKNbQCgjmZ3DiFDQR3YlmH8ZCJM1njfEvoAoN7P
> J9RYbnd1l3EGarjneinWhapl
> =T+fK
> -----END PGP SIGNATURE-----