Forgot your password?
typodupeerror

$10k Bounty for Critical Windows Flaws 138

Posted by CmdrTaco
from the rolling-in-the-benjamins dept.
An anonymous reader writes "iDefense, a Verisign company, is offering $10,000 to any researchers who find and report to it information on a previously unknown Windows flaw for which Microsoft later issues a "critical" advisory, according to a story over at Washingtonpost.com. Not really surprising, considering that Russian hacking groups are now paying thousands of dollars for exploits that attack unpatched holes in Windows. From the article: "Details of the flaw must be submitted exclusively to iDefense by March 31. There is no limit on the number of prizes that can be paid: if five researchers find and report five different Windows flaws for which Microsoft later issues critical advisories, all five will get paid...iDefense will change the focus of the challenge with each quarter -- the next challenge may focus on another vendor, or it may just center on particular class of vulnerabilities.""
This discussion has been archived. No new comments can be posted.

$10k Bounty for Critical Windows Flaws

Comments Filter:
  • by biocute (936687) on Thursday February 16, 2006 @04:16PM (#14736164) Homepage
    I mean, who better than Bill Gates himself to submit hundreds of thousands of Windows exploits and makes zillions of them?

    1. Design flawed OS
    2. Wait for bounty on flaws
    3. Submit flaws
    4. Issue "critical" advisories on those flaws
    5. Profit!!!

    Mind you, if the bounty is for announced "patch" instead of "advisory", it will be almost impossible for BG to claim the prize.
  • Vista! (Score:5, Funny)

    by Anonymous Coward on Thursday February 16, 2006 @04:17PM (#14736171)
    Now where's my check?
    • Re:Vista! (Score:1, Funny)

      by Mayhem178 (920970)
      Nope, sorry. This is a fruitless offer. Windows doesn't contain flaws. It has unpublished features. No money for you.
  • by Yaksha42 (856623) on Thursday February 16, 2006 @04:17PM (#14736174)
    It's times like this, when the rent is due, that I wish I knew more about hacking. :(
  • Operation: Who Wants To Be A Millionaire?
  • Remember though (Score:5, Interesting)

    by saskboy (600063) on Thursday February 16, 2006 @04:19PM (#14736198) Homepage Journal
    If you're in the hunt, don't focus on Windows 3.1 or ME, since as of June 30, 2006 Windows will no longer be issuing critical warnings for either of those Operating Systems even if they know they exist. Well they might issue one out of the goodness of their hearts to encourage an upgrade to X...err Vista, but there will be no official patch.

    On second thought, maybe looking at Windows 3.0 coding errors would reveal flaws in Vista. After all, think of the WMF flaw...
    • Considering the copyright notice on Windows XP is from 1985 to present finding security vulnerabilities [msversus.org] in their old software may not be such a bad idea. At least some of the old code still resides in current versions of Windows. They've never performed a complete rewrite.
    • If you're in the hunt, don't focus on Windows 3.1 or ME, since as of June 30, 2006 Windows will no longer be issuing critical warnings for either of those Operating Systems even if they know they exist.
      frankly im quite suprised windows 3.1 was issued critical warnings up until then
  • by Anonymous Coward on Thursday February 16, 2006 @04:19PM (#14736199)
    I can't imagine MS is gonna be too pleased with this.

    And they have a couple law-talkin guys on staff.
    • Why not? iDefense doesn't just release the vulnerabilities unannounced or sit on them exploiting them for profit, they submit them to Microsoft Security and publish only after a patch has been released. If anything, Microsoft should be happy that somebody is providing independent researchers a financial incentive not to release 0-day vulnerabilities to public lists.
      • No no, iDefense is going to sue Microsoft for their losses caused by Microsoft's bugs! ;)
      • I dunno, what do they get out of being the ones to report the flaw to MS? If I found a critical flaw and reported it directly to MS, would I get paid? I doubt it. So how does iDefense get their money back? An army of spamming/DDOSing zombies for a month or so, and then report it would be my guess. That's if I was prone to paranoia, which I'm not, so stop looking at me like that! There was a look there, don't deny it, I'm onto you!!
    • Sue them for what? I don't see how this is any different from other vulnerability bounties, or even a more general science bounty. The only way MS could sue someone is if they made NDAs mandatory for those who use Windows. And then, they could only sue the person who "leaked" the information.
  • by MikeFM (12491) on Thursday February 16, 2006 @04:23PM (#14736241) Homepage Journal
    This is what Linux companies should be doing. Pay developers that find an exploit in Linux a couple thousand dollars and make sure the hole gets fixed quickly. Obviously then it becomes a race for the companies to have their own employees find and fix the holes before outside developers do the same. Maybe have some lesser (since they're already getting a paycheck) bounty available to their own employees that find the holes and fix them.

    As open as Linux is this kind of motivation could really bring in the eyeballs to make those holes shallow and get them patched up. Make the bounty $10,000 for critical bugs and maybe $2000 for lesser security bugs. If you get the kernel patched up then start working on libraries and then apps and by then it should be time to start looking at the kernel again.
  • by madnuke (948229) on Thursday February 16, 2006 @04:24PM (#14736249)
    That isn't a lot when you could sell the exploit on the internet like the WMF exploit was a snip at $5000 each, think how many people bought that in the malicous website, porn internet, fake-anti spyware companies like Win Hound. Some how I don't think this will last long.
  • Found it! (Score:5, Funny)

    by Fr05t (69968) on Thursday February 16, 2006 @04:26PM (#14736257)
    iexplore.exe

    You may send the prize money to PO Box 3872, Moncton, NB, Canada
  • by Weaselmancer (533834) on Thursday February 16, 2006 @04:28PM (#14736284)

    They're investing in the first corporate-sponsored botnet. Now you can give your spam relay the corporate sponsorship it's always been craving! For an added bonus, we'll throw in a few auth certificates if you decide to become an elite Platinum Botnet customer!

    Don't delay, act now! Really, we mean it. Because offer is only valid until Microsoft's next Critical Advisory.

  • by gasmonso (929871) on Thursday February 16, 2006 @04:28PM (#14736289) Homepage

    Some Vista developer is saying to himself, "I'm gonna code me a minivan!"

    http://religiousfreaks.com/ [religiousfreaks.com]
  • by autopr0n (534291) on Thursday February 16, 2006 @04:32PM (#14736313) Homepage Journal
    I mean, couldn't someone find a flaw, get together with 10 of his friends, and everyone reports it independantly? What happens then?
  • by xxxJonBoyxxx (565205) on Thursday February 16, 2006 @04:34PM (#14736355)
    "iDefense will change the focus of the challenge with each quarter -- the next challenge may focus on another vendor, or it may just center on particular class of vulnerabilities."

    Or, iDefense may never pay any of the $10K prizes, citing independent discovery, not-really-critical status or just the fact that Verisign knows how to say "fuck you" better than almost anyone. Instead, they'll just get shitloads of free press for their cheesy security contest and a couple of marks will sign up for and/or buy whatever it is that Verisign/iDefense is hawking today.

  • by Anonymous Coward on Thursday February 16, 2006 @04:37PM (#14736376)
    Microsoft patches 87,000 critical flaws. Verisign files for bankruptcy protection.
    • Windows will one step (okay, 87,000 steps) closer to finally being as stable as nitroglycerin. M$ slaves around the world rejoice. *nix users either 1.) laugh at the unwashed masses, 2.) sigh and shake their heads at the primitive savages, or 3.) be too busy being productive to notice.
  • This would be more about notoriety than money.

    Think about it - hacker gets paid $10k for finding a critical flaw and reporting it.

    Hacker finds a critical flaw and blackmails a company for HUNDREDS of thousands.

    It happens, I see it often enough when called in to do security-audits after-the-fact, and no, it's not me that's doing the blackmailing ;)
    • The $10K is certain. The few hundred K is a risk (or not an option for those with scruples)
      • You're not seriously insinuating I lack scruples are you?

        I said I see this when I'm asked to come in and TRY to make sure it doesn't happen again, not because I do it myself?

        If you work in the finance sector you will KNOW this happens and you will KNOW Banks and other financial businesses don't like it publicized when they are taken for a ride.
        • put down the crackpipe please.
          Do you have a disease? you think everyone on the internet is talking about you?

          Neither the GP nor its sibling post are implying anything about your conduct. Both are making the same point - for some people extortion isn't an option. They're not suggesting YOU engage in extortion.

          No possible reading of their posts suggests anything different to me.

          Besides, if you can't take a few cheap digs and insinuations without wetting yourself, you shouldn't be here, pinhead.
          • I asked if they were insinuating something based on the fact anyone with more than 2 braincells already knows it's illegal and immoral, and most people wouldn't do it, the point of my post is people still do.

            I didn't wet myself at all mate, you seem to be the one who overreacted.
            • Klootzak is an extortionist!!
              Klootzak smokes crack for breakfast!!
              Klootzak jumps to conclusions!!

              see, noone cares about you, your sad life or your pathetic insecurities.
              • LOL, you're quite amusing. /* see, noone cares about you, your sad life or your pathetic insecurities. */

                I'd beg to differ - if that were the case you wouldn't have replied ;)

                Please continue, I find unrequited abuse very entertaning :)
            • I normally don't feed trolls but I am in the mood today..... Get off your high horse Klootzak. You are the one over reacting. You need to pay attention and engage mind before mouth/typing. Consider yourself shot down and corrected. You totally misread the post and are out of line. weierstrass made a valid point and corrected you. You decided to take it wrong. Way wrong. I have a feeling you think you are always right and argue a lot. I am going to say your male. Late 20's. Single. I could go on and on abou
              • Why would I bother arguing? No-one cares about me? :)

                Male yes, late 20s no, single no, but no-one cares, so why comment?

                I'm obviously argumentative, you can see so in my posts, full of hostility and lack of knowledge on the topic :)
                • Ah but you have a sense of humor and that is what matters :) Just need to relax a bit more and think before typing/speaking.
        • No, I'm not insinuating anything about you. You read my post incorrectly.

          I said that blackmailing for hundreds of thousands of dollars is not an option for those with scruples. There is no ambiguity in that sentence.
    • /* Hacker finds a critical flaw and blackmails a company for HUNDREDS of thousands. */

      I believe the correct phrase is "extortion".
       
      /* The $10K is certain. The few hundred K is a risk (or not an option for those with scruples) */

      Given the above comment, it's also not an option for those that don't want to go to prison.

      • Yet someone else who is assuming I'm extorting companies?

        I said in the above, I SEE this as part of my job, I don't DO it?

        You guys love your conclusion-jumping don't you?
        • /* Yet someone else who is assuming I'm extorting companies?
          I said in the above, I SEE this as part of my job, I don't DO it?
          You guys love your conclusion-jumping don't you? */

          uhh.... seriously, no more espresso. I didn't accuse you of anything, I said that the thing you are DESCRIBING is extortion. Now, you can gather whatever info you want from the above comment, and re-think your response.
          • My apologies, but I would've thought ANYONE on Slashdot would know it's illegal and immoral and runs the risk of prision? That's common knowledge?

            What may NOT be common knowledge is how often it happens, because the companies it happens to don't like their customers to know their security has been compromised.

            I read into your response because you stated the obvious... just having my first coffee of the morning now, cafe-latte, not espresso ;)
            • My apologies, but I would've thought ANYONE on Slashdot would know it's illegal and immoral and runs the risk of prision? That's common knowledge?

              OK, in the root of this thread, in the subject line, you say that more incentive is required to make this offer worthwhile. My reply and the GP state that there is, in fact, a possibility that there are security researchers who would rather have bugs fixed and get a smaller reward than risk prison time for a larger purse that may end up being nothing. This may be
      • what about e-bay.. sell the exploit to the higest bidder?

        For sale: One windows Exploit, hardly used. Make money quickly through carefully placed advertizing. Reserve $10,000.
        • Hahaha, good idea, obviously you're the entrepreneurial type. :)

          Make more money just working in "white-hat" security consulting if you are good enough to find exploits though, any company involved in asset-management or even just high-volume b2b transactions craves those skills (for obvious reasons).
  • Why only Windows? (Score:2, Interesting)

    by feranick (858651)
    Maybe I am provocative... Anyway: when are we going to have similar initiatives for OSX or linux?
  • Verisign?? (Score:3, Insightful)

    by Rob T Firefly (844560) on Thursday February 16, 2006 @04:50PM (#14736499) Homepage Journal
    It's an interesting concept, but I wouldn't trust Verisign to get the tuna out of a can that had already been opened. I wonder what their deal is here.
  • If iDefense (Verisign) can come up with $10K per critical Microsoft Windows flaw, why can't HP (or any other party interested in a secure environment) come up with money to support the development of applications for their own, very secure operating system: HP OpenVMS [hp.com]? Why does this industry focus so much on Microsoft Windows and totally ignore alternatives?
    • support the development of applications for their own, very secure operating system: HP OpenVMS? Why does this industry focus so much on Microsoft Windows and totally ignore alternatives?

      Maybe the question you should be asking is: Why does everyone USE windows instead of HP OpenVMS? And the answer is usually, because being able to use it is primary and being able to use it securely is secondary. Most people can't just pick up an OpenVMS server and use it in 5 minutes--ok so most can't pick it up at a

      • If that were true, then why bother with OS X, BSD, SCO :-), AIX, Linux, QNX, or any other software product not from Microsoft? Besides, my granny is heating her snuggery with an HP Integrity Superdome Server [hp.com].
        • Well, sure you're going to see all of those as newsworthy, but most of the news is focused on the biggest market--actually I think Windows gets less coverage than its market share would dictate by itself (thank God).

          At work, the only HP server we have is running Exchange with windows.. I wouldn't trust granny with that much power.

  • by Anonymous Coward
    Users.

    My prize may be donated to the Association for Smacking Stupid People Upside the Head.
  • Umm... what's to stop iDefense from sitting on the details of the flaw? They say the submission must be exclusive and to get the cash Microsoft must issue a critical advisory. If iDefense does whatever they want with it and doesn't tell Microsoft, doesn't that mean Microsoft can't issue an advisory on a flaw they don't know about and iDefense doesn't have to give the submitter jack? Yeah, I admit it's far-fetched but I'd be reading the fine print to say the least.
  • by TallMatthew (919136) on Thursday February 16, 2006 @05:34PM (#14736885)
    "Here's your exploit, now where's my ten grand?"

    "Sir, you've just violated the DMCA by making our mistakes public. Off to jail you go."

  • What about beta? (Score:3, Insightful)

    by TopSpin (753) * on Thursday February 16, 2006 @05:50PM (#14737034) Journal
    If I discover an obscure remotely exploitable security flaw in a Microsoft beta product (thus, unlikely to lead to a "critical" advisory,) why should I not sit on it until a few months after release and get paid?

  • Bugs are worth more on the black market. Blackhats do not release their bugs to $VENDOR, that puts a stop to their money making by droping adware, keyloggers, and trojans on poor unsuspecting Joe Average User. No matter how large the bounty is, no matter how appealing the company tries to make it, it will only attract white hats, and some greyhats.

    The best exploits stay underground for an extremely long time until a whitehat catches a blackhat doing something careless (like not deleting their exploit they
  • So now hacking can be a career? It's now beneficial to train lots of people in the art of hacking?

    $10,000 for the first person to discover a backdoor into the national bank!
    one of those people is gonna leave with $10,000, the rest are leaving with a lot more than that!
  • I just picked this up from Gizmodo [gizmodo.com]

    That article is sez that Vista is too secure, and that the British govt wants a back door....
    The Russian mafia are going pay haxors big bucks for a back door if they find one (like the recently found WMF exploit - which some claim is a purposely put in 0 day exploit). I cant believe a Governments would push for this type of exploit, as they really just fuel the spy-ware and hacking economy!

    If the British govt get their way, Vista WILL have exploits, so its just a
  • Maybe crackers can sell their exploits to the highest bidder with the 10 Grand to I Defense being the reserve price.
    With all of the programmers out of jobs due to outsourcing, this is a way for American workers to compete on a level playing field.
  • DMCA violation? (Score:3, Interesting)

    by sl4shd0rk (755837) on Thursday February 16, 2006 @07:10PM (#14737763)
    Do the world a great service by finding windows bugs and then take it up the ass for 15 years when Shyster H. Lawyer decides to prosecute under the dmca because you took apart some binaries. Don't agree? Why do you think symantec and friends didn't want to mess with the BMG fiasco? Same reason. Microsoft made this mess, let them straighten it out.
  • Hurray, verisign is going broke!
  • by Khyber (864651) <techkitsune@gmail.com> on Thursday February 16, 2006 @07:14PM (#14737789) Homepage Journal
    d:\setup.exe

    I'll take my ten grand now. Oh wait, I found another one!!

    explorer.exe

    There's twenty grand you owe me now!
    • Delete NTLDR and your system is safe forever.
      • I could disconnect from the net and be safe forever too. I wonder if I'll get a $50K reward for issuing that particular advisory? I see it now... "Your computer is connected to the Net. We recommend ripping your modem, network card, and wireless networking devices to ensure your PCs safety."
  • Either MS can start paying out for exclusive bugs, making iDefense's offer worthless, or they can start being more proactive about finding and patching critical problems.

    It seems like a real win/win for Windows users no matter what.
  • the ability to turn on a machine running windows! now, where's my $10k?
  • I think with that bounty, they'll be bankrupt in 4 days.
  • the devil is in the details. Any really good flaw reported will fall just this side of critical. Not critical no $10,000.00. No bad press.
  • ...iDefense recently signed a secret agreement with Microsoft whereby Microsoft would pay it $20,000 for every unknown Critical Windows Flaw it could find.

Kleeneness is next to Godelness.

Working...