Penetration Testing mailing list archives
RE: Trend Micro's Vista "0day exploit auction" claim
From: "Sels, Roger" <roger.sels () gov-fbi net>
Date: Tue, 19 Dec 2006 13:11:29 +0100 (CET)
Chris, Good points. However how did you come to the ascertion that everyone is expecting lots of exploits ? I for one didn't express this opinion. Keeping Windows 2003 in mind (and how widely it's deployed, admittedly) we could be in for a surprise with Vista. Maybe that's too optimistic ; only time will tell. Kr Roger On Wed, December 20, 2006 12:54 am, Chris Poulter wrote:
50k per vulnerability opposed to hundreds (unlikely) 60-100k/year (unlikely) - the Q/A's might only get 40-50k/year, a security vulnerability technician would be the one getting paid the big bucks, but there wouldn't be "hundreds" of them? - how do you work that one out to be more feasible? Considering everyone is presuming there will be lots of exploits, 50k/exploit will equate to a much larger payout.... And exploit the exploiters? - how do you figure this one as well? Someone getting paid 50k/exploit is far more beneficial to the "exploiter" than getting nothing and just sharing the love....where MS would lose out more if this happened and leave them more exposed... I'm not arguing for either side of the case as I haven't looked into it enough to make my own judgment, but I don't think your assessment is accurate... -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Cody Tubbs Sent: Wednesday, December 20, 2006 10:40 AM To: Radu Oprisan Cc: pen-test () securityfocus com Subject: Re: Trend Micro's Vista "0day exploit auction" claim It's cheaper to pay kids 50k for actually finding flaws, rather than paying hundreds of QA engineers 60-100k a pop to spend months finding nothing. Another reason M$ sucks, exploit the exploiters. -Cody Tubbs Radu Oprisan wrote:Ryan Meyer wrote:A number of popular tech news sources are reporting Trend Micro'sCTO,Raimund Genes, publicly claiming that there are "auctions" forzero-dayWindows Vista exploits. Further, he claims these auctions arefetchingapprox $50,000. Could anyone verify Trend Micro's claim?It seems dubious, at best, to me and possibly nothing more than pureFUD.Sorry to get off topic. Ryan MeyerThis could also be some covert way for microsoft to find their own vulnerabilities. That has happened before.
-- Life is 10 percent what you make it and 90 percent how you take it. - Irving Berlin
Current thread:
- Trend Micro's Vista "0day exploit auction" claim Ryan Meyer (Dec 19)
- Re: Trend Micro's Vista "0day exploit auction" claim Sels, Roger (Dec 19)
- Re: Trend Micro's Vista "0day exploit auction" claim Radu Oprisan (Dec 19)
- Re: Trend Micro's Vista "0day exploit auction" claim Cody Tubbs (Dec 19)
- RE: Trend Micro's Vista "0day exploit auction" claim Chris Poulter (Dec 19)
- RE: Trend Micro's Vista "0day exploit auction" claim Sels, Roger (Dec 19)
- RE: Trend Micro's Vista "0day exploit auction" claim Chris Poulter (Dec 19)
- Re: Trend Micro's Vista "0day exploit auction" claim Cody Tubbs (Dec 19)
- Re: Trend Micro's Vista "0day exploit auction" claim Cody Tubbs (Dec 19)
- <Possible follow-ups>
- Re: Trend Micro's Vista "0day exploit auction" claim krymson (Dec 19)