I know someone who will pay significantly more per vulnerability against the same targets. On 1/10/07 12:27 PM, "contributor" <Contributor@xxxxxxxxxxxx> wrote: > -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Also available at: > http://labs.idefense.com/vcp/challenge.php#more_q1+2007%3A+vulnerability+chall > enge *Challenge Focus: Remote Arbitrary Code Execution Vulnerabilities > in Vista & IE 7.0* Both Microsoft Internet Explorer and Microsoft Windows > dominate their respective markets, and it is not surprising that the decision > to update to the current release of Internet Explorer 7.0 and/or Windows Vista > is fraught with uncertainty. Primary in the minds of IT security > professionals is the question of vulnerabilities that may be present in these > two groundbreaking products. To help assuage this uncertainty, iDefense Labs > is pleased to announce the Q1, 2007 quarterly challenge. Remote Arbitrary > Code Execution Vulnerabilities in Vista and IE 7.0 Vulnerability > Challenge: iDefense will pay $8,000 for each submitted vulnerability that > allows an attacker to remotely exploit and execute arbitrary code on either of > these two products. Only the first submission for a given vulnerability will > qualify for the award, and iDefense will award no more than six payments of > $8000. If more than six submissions qualify, the earliest six submissions > (based on submission date and time) will receive the award. The iDefense Team > at VeriSign will be responsible for making the final determination of whether > or not a submission qualifies for the award. The criteria for this phase > of the challenge are: I) Technologies Covered: - - Microsoft Internet > Explorer 7.0 - - Microsoft Windows Vista II) Vulnerability Challenge > Ground Rules: - - The vulnerability must be remotely exploitable and must > allow arbitrary code execution in a default installation of one of > the technologies listed above - - The vulnerability must exist in the > latest version of the affected technology with all available patches/upgrades > applied - - 'RC' (Release candidate), 'Beta', 'Technology Preview' > and similar versions of the listed technologies are not included in > this challenge - - The vulnerability must be original and not previously > disclosed either publicly or to the vendor by another party - - The > vulnerability cannot be caused by or require any additional third party > software installed on the target system - - The vulnerability must not > require additional social engineering beyond browsing a malicious > site Working Exploit Challenge: In addition to the $8000 award for the > submitted vulnerability, iDefense will pay from $2000 to $4000 for working > exploit code that exploits the submitted vulnerability. The arbitrary code > execution must be of an uploaded non-malicious payload. Submission of > a malicious payload is grounds for disqualification from this phase of the > challenge. I) Technologies Covered: - - Microsoft Internet Explorer 7.0 - > - Microsoft Windows Vista II) Working Exploit Challenge Ground > Rules: Working exploit code must be for the submitted vulnerability only > iDefense will not consider exploit code for existing vulnerabilities or new > vulnerabilities submitted by others. iDefense will consider one and only one > working exploit for each original vulnerability submitted. The minimum award > for a working exploit is $2000. In addition to the base award, additional > amounts up to $4000 may be awarded based upon: - - Reliability of the > exploit - - Quality of the exploit code - - Readability of the exploit > code - - Documentation of the exploit code -----BEGIN PGP > SIGNATURE----- Version: GnuPG v1.4.3 (MingW32) Comment: Using GnuPG with > Mozilla - http://enigmail.mozdev.org > iD8DBQFFpSHsYcX4JiqFDSgRAl+ZAJwMJaZoJ6zwd4m8qZfviOZnNNUVrACgpaTU QkO9IXq+PsC6 > bMKg7j6Dwfw= =N0am -----END PGP > SIGNATURE----- _______________________________________________ Full-Disclosur > e - We believe in it. Charter: > http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by > Secunia - http://secunia.com/
