A legitimate buyer is not necessarily an ethical buyer. Demand to know the buyer first, then do your homework. As always, proceed with caution. - Jim Simon Smith wrote: > Amen! > KF is 100% on the money. I can arrange the legitimate purchase of most > working exploits for significantly more money than iDefense, In some cases > over $75,000.00 per purchase. The company that I am working with has a > relationship with a legitimate buyer, all transactions are legal. If you're > interested contact me and we'll get the ball rolling. > > -Simon > > > $8000.00 USD is low! > > On 1/16/07 12:29 PM, "K F (lists)" <kf_lists@xxxxxxxxxxxxxxxxxxx> wrote: > > >> No offense to iDefense as I have used their services in the past... but >> MY Q1 2007 Challenge to YOU is to start offering your researchers more >> money in general! I've sold remotely exploitable bugs in random 3rd >> party products for more $$ than you are offering for these Vista items >> (see the h0n0 #3). I really think you guys are devaluing the exploit >> market with your low offers... I've had folks mail me like WOW iDefense >> offered me $800 for this remote exploit. Pfffttt not quite. >> >> We all know black hats are selling these sploits for <=$25k so why >> should the legit folks settle for anything less? As an example the guys >> at MOAB kicked around selling a Quicktime bug to iDefense but in the end >> we decided it was not worth it due to low pay... >> >> Low Pay == Not getting disclosed via iDefense.... >> >> -KF >> >> >> >>> I know someone who will pay significantly more per vulnerability against the >>> same targets. >>> >>> >>> On 1/10/07 12:27 PM, "contributor" <Contributor@xxxxxxxxxxxx> wrote: >>> >>> >>> >>>> -----BEGIN PGP SIGNED MESSAGE----- >>>> >>>> >>> Hash: SHA1 >>> >>> Also available at: >>> >>> >>> >>> >>>> http://labs.idefense.com/vcp/challenge.php#more_q1+2007%3A+vulnerability+cha >>>> ll >>>> enge >>>> >>>> >>> *Challenge Focus: Remote Arbitrary Code Execution Vulnerabilities >>> >>> >>>> in >>>> >>>> >>> Vista & IE 7.0* >>> >>> Both Microsoft Internet Explorer and Microsoft Windows >>> >>> >>>> dominate their >>>> >>>> >>> respective markets, and it is not surprising that the decision >>> >>> >>>> to >>>> >>>> >>> update to the current release of Internet Explorer 7.0 and/or Windows >>> Vista >>> >>> >>>> is fraught with uncertainty. Primary in the minds of IT >>>> >>>> >>> security >>> >>> >>>> professionals is the question of vulnerabilities that may be >>>> >>>> >>> present in these >>> >>> >>>> two groundbreaking products. >>>> >>>> >>> To help assuage this uncertainty, iDefense Labs >>> >>> >>>> is pleased to announce >>>> >>>> >>> the Q1, 2007 quarterly challenge. >>> >>> Remote Arbitrary >>> >>> >>>> Code Execution Vulnerabilities in Vista and IE 7.0 >>>> >>>> >>> Vulnerability >>> >>> >>>> Challenge: >>>> >>>> >>> iDefense will pay $8,000 for each submitted vulnerability that >>> >>> >>>> allows >>>> >>>> >>> an attacker to remotely exploit and execute arbitrary code on either >>> of >>> >>> >>>> these two products. Only the first submission for a given >>>> >>>> >>> vulnerability will >>> >>> >>>> qualify for the award, and iDefense will award no >>>> >>>> >>> more than six payments of >>> >>> >>>> $8000. If more than six submissions >>>> >>>> >>> qualify, the earliest six submissions >>> >>> >>>> (based on submission date and >>>> >>>> >>> time) will receive the award. The iDefense Team >>> >>> >>>> at VeriSign will be >>>> >>>> >>> responsible for making the final determination of whether >>> >>> >>>> or not a >>>> >>>> >>> submission qualifies for the award. The criteria for this phase >>> >>> >>>> of >>>> >>>> >>> the challenge are: >>> >>> I) Technologies Covered: >>> - - Microsoft Internet >>> >>> >>>> Explorer 7.0 >>>> >>>> >>> - - Microsoft Windows Vista >>> >>> II) Vulnerability Challenge >>> >>> >>>> Ground Rules: >>>> >>>> >>> - - The vulnerability must be remotely exploitable and must >>> >>> >>>> allow >>>> >>>> >>> arbitrary code execution in a default installation of one of >>> >>> >>>> the >>>> >>>> >>> technologies listed above >>> - - The vulnerability must exist in the >>> >>> >>>> latest version of the >>>> >>>> >>> affected technology with all available patches/upgrades >>> >>> >>>> applied >>>> >>>> >>> - - 'RC' (Release candidate), 'Beta', 'Technology Preview' >>> >>> >>>> and >>>> >>>> >>> similar versions of the listed technologies are not included in >>> >>> >>>> this >>>> >>>> >>> challenge >>> - - The vulnerability must be original and not previously >>> >>> >>>> disclosed >>>> >>>> >>> either publicly or to the vendor by another party >>> - - The >>> >>> >>>> vulnerability cannot be caused by or require any additional >>>> >>>> >>> third party >>> >>> >>>> software installed on the target system >>>> >>>> >>> - - The vulnerability must not >>> >>> >>>> require additional social engineering >>>> >>>> >>> beyond browsing a malicious >>> >>> >>>> site >>>> >>>> >>> Working Exploit Challenge: >>> In addition to the $8000 award for the >>> >>> >>>> submitted vulnerability, >>>> >>>> >>> iDefense will pay from $2000 to $4000 for working >>> >>> >>>> exploit code that >>>> >>>> >>> exploits the submitted vulnerability. The arbitrary code >>> >>> >>>> execution >>>> >>>> >>> must be of an uploaded non-malicious payload. Submission of >>> >>> >>>> a >>>> >>>> >>> malicious payload is grounds for disqualification from this phase of >>> the >>> >>> >>>> challenge. >>>> >>>> >>> I) Technologies Covered: >>> - - Microsoft Internet Explorer 7.0 >>> - >>> >>> >>>> - Microsoft Windows Vista >>>> >>>> >>> II) Working Exploit Challenge Ground >>> >>> >>>> Rules: >>>> >>>> >>> Working exploit code must be for the submitted vulnerability only >>> >>> >>>> >>>> >>>> >>> iDefense will not consider exploit code for existing vulnerabilities >>> or new >>> >>> >>>> vulnerabilities submitted by others. iDefense will consider >>>> >>>> >>> one and only one >>> >>> >>>> working exploit for each original vulnerability >>>> >>>> >>> submitted. >>> >>> The minimum award >>> >>> >>>> for a working exploit is $2000. In addition to the >>>> >>>> >>> base award, additional >>> >>> >>>> amounts up to $4000 may be awarded based upon: >>>> >>>> >>> - - Reliability of the >>> >>> >>>> exploit >>>> >>>> >>> - - Quality of the exploit code >>> - - Readability of the exploit >>> >>> >>>> code >>>> >>>> >>> - - Documentation of the exploit code >>> >>> >>> -----BEGIN PGP >>> >>> >>>> SIGNATURE----- >>>> >>>> >>> Version: GnuPG v1.4.3 (MingW32) >>> Comment: Using GnuPG with >>> >>> >>>> Mozilla - http://enigmail.mozdev.org >>>> >>>> >>> >>> iD8DBQFFpSHsYcX4JiqFDSgRAl+ZAJwMJaZoJ6zwd4m8qZfviOZnNNUVrACgpaTU >>> QkO9IXq+PsC6 >>> >>> >>>> bMKg7j6Dwfw= >>>> >>>> >>> =N0am >>> -----END PGP >>> >>> >>>> SIGNATURE----- >>>> >>>> >>> _______________________________________________ >>> Full-Disclosur >>> >>> >>>> e - We believe in it. >>>> >>>> >>> Charter: >>> >>> >>>> http://lists.grok.org.uk/full-disclosure-charter.html >>>> >>>> >>> Hosted and sponsored by >>> >>> >>>> Secunia - http://secunia.com/ >>>> >>>> >>> _______________________________________________ >>> Full-Disclosure - We believe in it. >>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >>> Hosted and sponsored by Secunia - http://secunia.com/ >>> >>> >>> > > > > > -- Best Regards, Jim Manico GIAC GSEC Professional, Sun Certified Java Programmer jim@xxxxxxxxxx 808.652.3805
