Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: iDefense Q-1 2007 Challenge

From: "ad () heapoverflow com" <mr.dovi () gmail com>
Date: Tue, 16 Jan 2007 23:30:35 +0100
I agree with you KF , that's why I do not recommand iDEFENSE in my 
forum's footer since some times now.
They are just playing on the fact they are alone , or they were alone 
for a long time on this market, and they do
not wish to do any effort, making loads of dollars with us , to say 
clean , they sucks.

AD

K F (lists) wrote:

No offense to iDefense as I have used their services in the past... but 
MY Q1 2007 Challenge to YOU is to start offering your researchers more 
money in general! I've sold remotely exploitable bugs in random 3rd 
party products for more $$ than you are offering for these Vista items 
(see the h0n0 #3). I really think you guys are devaluing the exploit 
market with your low offers... I've had folks mail me like WOW iDefense 
offered me $800 for this remote exploit. Pfffttt not quite.

We all know black hats are selling these sploits for <=$25k so why 
should the legit folks settle for anything less? As an example the guys 
at MOAB kicked around selling a Quicktime bug to iDefense but in the end 
we decided it was not worth it due to low pay...

Low Pay == Not getting disclosed via iDefense....

-KF


  

I know someone who will pay significantly more per vulnerability against the
same targets. 


On 1/10/07 12:27 PM, "contributor" <Contributor () idefense com> wrote:

  
    

-----BEGIN PGP SIGNED MESSAGE-----
    
      

Hash: SHA1
 
Also available at:


  
    

http://labs.idefense.com/vcp/challenge.php#more_q1+2007%3A+vulnerability+chall
enge
    
      

*Challenge Focus: Remote Arbitrary Code Execution Vulnerabilities
  
    

in
    
      

Vista & IE 7.0*

Both Microsoft Internet Explorer and Microsoft Windows
  
    

dominate their
    
      

respective markets, and it is not surprising that the decision
  
    

to
    
      

update to the current release of Internet Explorer 7.0 and/or Windows
Vista
  
    

is fraught with uncertainty.  Primary in the minds of IT
    
      

security
  
    

professionals is the question of vulnerabilities that may be
    
      

present in these
  
    

two groundbreaking products.
    
      

To help assuage this uncertainty, iDefense Labs
  
    

is pleased to announce
    
      

the Q1, 2007 quarterly challenge.

Remote Arbitrary
  
    

Code Execution Vulnerabilities in Vista and IE 7.0
    
      

Vulnerability
  
    

Challenge:
    
      

iDefense will pay $8,000 for each submitted vulnerability that
  
    

allows
    
      

an attacker to remotely exploit and execute arbitrary code on either
of
  
    

these two products.  Only the first submission for a given
    
      

vulnerability will
  
    

qualify for the award, and iDefense will award no
    
      

more than six payments of
  
    

$8000.  If more than six submissions
    
      

qualify, the earliest six submissions
  
    

(based on submission date and
    
      

time) will receive the award.  The iDefense Team
  
    

at VeriSign will be
    
      

responsible for making the final determination of whether
  
    

or not a
    
      

submission qualifies for the award.  The criteria for this phase
  
    

of
    
      

the challenge are:

I) Technologies Covered:
- -    Microsoft Internet
  
    

Explorer 7.0
    
      

- -    Microsoft Windows Vista

II) Vulnerability Challenge
  
    

Ground Rules:
    
      

- -    The vulnerability must be remotely exploitable and must
  
    

allow
    
      

arbitrary code execution in a default installation of one of
  
    

the
    
      

technologies listed above
- -    The vulnerability must exist in the
  
    

latest version of the
    
      

affected technology with all available patches/upgrades
  
    

applied
    
      

- -    'RC' (Release candidate), 'Beta', 'Technology Preview'
  
    

and
    
      

similar versions of the listed technologies are not included in
  
    

this
    
      

challenge
- -    The vulnerability must be original and not previously
  
    

disclosed
    
      

either publicly or to the vendor by another party
- -    The
  
    

vulnerability cannot be caused by or require any additional
    
      

third party
  
    

software installed on the target system
    
      

- -    The vulnerability must not
  
    

require additional social engineering
    
      

beyond browsing a malicious
  
    

site
    
      

Working Exploit Challenge:
In addition to the $8000 award for the
  
    

submitted vulnerability,
    
      

iDefense will pay from $2000 to $4000 for working
  
    

exploit code that
    
      

exploits the submitted vulnerability.  The arbitrary code
  
    

execution
    
      

must be of an uploaded non-malicious payload.  Submission of
  
    

a
    
      

malicious payload is grounds for disqualification from this phase of
the
  
    

challenge.
    
      

I) Technologies Covered:
- -    Microsoft Internet Explorer 7.0
-
  
    

-    Microsoft Windows Vista
    
      

II) Working Exploit Challenge Ground
  
    

Rules:
    
      

Working exploit code must be for the submitted vulnerability only
  
    

­
    
      

iDefense will not consider exploit code for existing vulnerabilities
or new
  
    

vulnerabilities submitted by others.  iDefense will consider
    
      

one and only one
  
    

working exploit for each original vulnerability
    
      

submitted.

The minimum award
  
    

for a working exploit is $2000.  In addition to the
    
      

base award, additional
  
    

amounts up to $4000 may be awarded based upon:
    
      

- -    Reliability of the
  
    

exploit
    
      

- -    Quality of the exploit code
- -    Readability of the exploit
  
    

code
    
      

- -    Documentation of the exploit code


-----BEGIN PGP
  
    

SIGNATURE-----
    
      

Version: GnuPG v1.4.3 (MingW32)
Comment: Using GnuPG with
  
    

Mozilla - http://enigmail.mozdev.org
    
      

  
iD8DBQFFpSHsYcX4JiqFDSgRAl+ZAJwMJaZoJ6zwd4m8qZfviOZnNNUVrACgpaTU
QkO9IXq+PsC6
  
    

bMKg7j6Dwfw=
    
      

=N0am
-----END PGP
  
    

SIGNATURE-----
    
      

_______________________________________________
Full-Disclosur
  
    

e - We believe in it.
    
      

Charter:
  
    

http://lists.grok.org.uk/full-disclosure-charter.html
    
      

Hosted and sponsored by
  
    

Secunia - http://secunia.com/
    
      

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  
    


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


  


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: