No offense to iDefense as I have used their services in the past... but
MY Q1 2007 Challenge to YOU is to start offering your researchers more
money in general! I've sold remotely exploitable bugs in random 3rd
party products for more $$ than you are offering for these Vista items
(see the h0n0 #3). I really think you guys are devaluing the exploit
market with your low offers... I've had folks mail me like WOW iDefense
offered me $800 for this remote exploit. Pfffttt not quite.

We all know black hats are selling these sploits for <=$25k so why
should the legit folks settle for anything less? As an example the guys
at MOAB kicked around selling a Quicktime bug to iDefense but in the end
we decided it was not worth it due to low pay...

Low Pay == Not getting disclosed via iDefense....

-KF

> I know someone who will pay significantly more per vulnerability against the
> same targets.
>
>
> On 1/10/07 12:27 PM, "contributor" <Contributor (at) idefense (dot) com [email concealed]> wrote:
>
>
>> -----BEGIN PGP SIGNED MESSAGE-----
>>
> Hash: SHA1
>
> Also available at:
>
>
>
>> http://labs.idefense.com/vcp/challenge.php#more_q1+2007%3A+vulnerability
+chall
>> enge
>>
>
> *Challenge Focus: Remote Arbitrary Code Execution Vulnerabilities
>
>> in
>>
> Vista & IE 7.0*
>
> Both Microsoft Internet Explorer and Microsoft Windows
>
>> dominate their
>>
> respective markets, and it is not surprising that the decision
>
>> to
>>
> update to the current release of Internet Explorer 7.0 and/or Windows
> Vista
>
>> is fraught with uncertainty. Primary in the minds of IT
>>
> security
>
>> professionals is the question of vulnerabilities that may be
>>
> present in these
>
>> two groundbreaking products.
>>
>
> To help assuage this uncertainty, iDefense Labs
>
>> is pleased to announce
>>
> the Q1, 2007 quarterly challenge.
>
> Remote Arbitrary
>
>> Code Execution Vulnerabilities in Vista and IE 7.0
>>
>
> Vulnerability
>
>> Challenge:
>>
> iDefense will pay $8,000 for each submitted vulnerability that
>
>> allows
>>
> an attacker to remotely exploit and execute arbitrary code on either
> of
>
>> these two products. Only the first submission for a given
>>
> vulnerability will
>
>> qualify for the award, and iDefense will award no
>>
> more than six payments of
>
>> $8000. If more than six submissions
>>
> qualify, the earliest six submissions
>
>> (based on submission date and
>>
> time) will receive the award. The iDefense Team
>
>> at VeriSign will be
>>
> responsible for making the final determination of whether
>
>> or not a
>>
> submission qualifies for the award. The criteria for this phase
>
>> of
>>
> the challenge are:
>
> I) Technologies Covered:
> - - Microsoft Internet
>
>> Explorer 7.0
>>
> - - Microsoft Windows Vista
>
> II) Vulnerability Challenge
>
>> Ground Rules:
>>
> - - The vulnerability must be remotely exploitable and must
>
>> allow
>>
> arbitrary code execution in a default installation of one of
>
>> the
>>
> technologies listed above
> - - The vulnerability must exist in the
>
>> latest version of the
>>
> affected technology with all available patches/upgrades
>
>> applied
>>
> - - 'RC' (Release candidate), 'Beta', 'Technology Preview'
>
>> and
>>
> similar versions of the listed technologies are not included in
>
>> this
>>
> challenge
> - - The vulnerability must be original and not previously
>
>> disclosed
>>
> either publicly or to the vendor by another party
> - - The
>
>> vulnerability cannot be caused by or require any additional
>>
> third party
>
>> software installed on the target system
>>
> - - The vulnerability must not
>
>> require additional social engineering
>>
> beyond browsing a malicious
>
>> site
>>
>
> Working Exploit Challenge:
> In addition to the $8000 award for the
>
>> submitted vulnerability,
>>
> iDefense will pay from $2000 to $4000 for working
>
>> exploit code that
>>
> exploits the submitted vulnerability. The arbitrary code
>
>> execution
>>
> must be of an uploaded non-malicious payload. Submission of
>
>> a
>>
> malicious payload is grounds for disqualification from this phase of
> the
>
>> challenge.
>>
>
> I) Technologies Covered:
> - - Microsoft Internet Explorer 7.0
> -
>
>> - Microsoft Windows Vista
>>
>
> II) Working Exploit Challenge Ground
>
>> Rules:
>>
> Working exploit code must be for the submitted vulnerability only
>
>> ­
>>
> iDefense will not consider exploit code for existing vulnerabilities
> or new
>
>> vulnerabilities submitted by others. iDefense will consider
>>
> one and only one
>
>> working exploit for each original vulnerability
>>
> submitted.
>
> The minimum award
>
>> for a working exploit is $2000. In addition to the
>>
> base award, additional
>
>> amounts up to $4000 may be awarded based upon:
>>
> - - Reliability of the
>
>> exploit
>>
> - - Quality of the exploit code
> - - Readability of the exploit
>
>> code
>>
> - - Documentation of the exploit code
>
>
> -----BEGIN PGP
>
>> SIGNATURE-----
>>
> Version: GnuPG v1.4.3 (MingW32)
> Comment: Using GnuPG with
>
>> Mozilla - http://enigmail.mozdev.org
>>
>
>
> iD8DBQFFpSHsYcX4JiqFDSgRAl+ZAJwMJaZoJ6zwd4m8qZfviOZnNNUVrACgpaTU
> QkO9IXq+PsC6
>
>> bMKg7j6Dwfw=
>>
> =N0am
> -----END PGP
>
>> SIGNATURE-----
>>
>
> _______________________________________________
> Full-Disclosur
>
>> e - We believe in it.
>>
> Charter:
>
>> http://lists.grok.org.uk/full-disclosure-charter.html
>>
> Hosted and sponsored by
>
>> Secunia - http://secunia.com/
>>
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
>

[ reply ]