$10k Bounty for Critical Windows Flaws

An anonymous reader writes "iDefense, a Verisign company, is offering $10,000 to any researchers who find and report to it information on a previously unknown Windows flaw for which Microsoft later issues a "critical" advisory, according to a story over at Washingtonpost.com. Not really surprising, considering that Russian hacking groups are now paying thousands of dollars for exploits that attack unpatched holes in Windows. From the article: "Details of the flaw must be submitted exclusively to iDefense by March 31. There is no limit on the number of prizes that can be paid: if five researchers find and report five different Windows flaws for which Microsoft later issues critical advisories, all five will get paid...iDefense will change the focus of the challenge with each quarter -- the next challenge may focus on another vendor, or it may just center on particular class of vulnerabilities.""

Buy MSFT now

[biocute (936687)]

I mean, who better than Bill Gates himself to submit hundreds of thousands of Windows exploits and makes zillions of them?

1. Design flawed OS
2. Wait for bounty on flaws
3. Submit flaws
4. Issue "critical" advisories on those flaws
5. Profit!!!

Mind you, if the bounty is for announced "patch" instead of "advisory", it will be almost impossible for BG to claim the prize.

Re:Buy MSFT now

[kalirion (728907)]

Because in the time that it would take him to submit hundreds of thousands of critical flaws, he can make more money just by sitting on his ass?

Re:Buy MSFT now

[Class Act Dynamo (802223)]

"Hello, ummm, my name is, um, Gil Baites. I would like to submit 45,000 flaws that I suspect will be reported quite soon by Microsoft. However, I do not have any certain knowledge of this event, as I have no connection to the company. Now if you'll excuse me, I must go back to my mansion and to my wife Gelinda. Thank you."

Simpler plan for MS

[this great guy (922511)]

I have a simpler plan for MS:

1. Design flawed OS
2. Sell flawed OS
3. Profit !!!

Any ressemblance to any situation, person, event, past, present and future is completely fortuitous.

Re:Simpler plan for MS

[this great guy (922511)]

Oh wwait...

Re:Buy MSFT now

[borawjm (747876)]

It's all a joke...

On April 1st, iDefense will file for bankruptcy. Ha. Ha. "April Fools!"

In other news,

[Propaganda13 (312548)]

In other news, Microsoft scraps their old advisory system and implements levels similar to Homeland Security Advisory System.

No bounty for you.

Vista!

[by Anonymous Coward]

Now where's my check?

I could use an extra 10k

[Yaksha42 (856623)]

It's times like this, when the rent is due, that I wish I knew more about hacking. :(

They're calling it...

[deathbyzen (897333)]

Operation: Who Wants To Be A Millionaire?

Remember though

[saskboy (600063)]

If you're in the hunt, don't focus on Windows 3.1 or ME, since as of June 30, 2006 Windows will no longer be issuing critical warnings for either of those Operating Systems even if they know they exist. Well they might issue one out of the goodness of their hearts to encourage an upgrade to X...err Vista, but there will be no official patch.

On second thought, maybe looking at Windows 3.0 coding errors would reveal flaws in Vista. After all, think of the WMF flaw...

Re:Remember though

[truthsearch (249536)]

Considering the copyright notice on Windows XP is from 1985 to present finding security vulnerabilities [msversus.org] in their old software may not be such a bad idea. At least some of the old code still resides in current versions of Windows. They've never performed a complete rewrite.

Can anybody say, "lawsuit"?

[by Anonymous Coward]

I can't imagine MS is gonna be too pleased with this.

And they have a couple law-talkin guys on staff.

Re:Can anybody say, "lawsuit"?

[Uncle Rummy (943608)]

Why not? iDefense doesn't just release the vulnerabilities unannounced or sit on them exploiting them for profit, they submit them to Microsoft Security and publish only after a patch has been released. If anything, Microsoft should be happy that somebody is providing independent researchers a financial incentive not to release 0-day vulnerabilities to public lists.

Re:Can anybody say, "lawsuit"?

[Schraegstrichpunkt (931443)]

No no, iDefense is going to sue Microsoft for their losses caused by Microsoft's bugs! ;)

BAH

[Schraegstrichpunkt (931443)]

s/their/its/

You crazy English are messing up my English!

Re:Can anybody say, "lawsuit"?

[Feanturi (99866)]

I dunno, what do they get out of being the ones to report the flaw to MS? If I found a critical flaw and reported it directly to MS, would I get paid? I doubt it. So how does iDefense get their money back? An army of spamming/DDOSing zombies for a month or so, and then report it would be my guess. That's if I was prone to paranoia, which I'm not, so stop looking at me like that! There was a look there, don't deny it, I'm onto you!!

Linux needs a similar plan.

[MikeFM (12491)]

This is what Linux companies should be doing. Pay developers that find an exploit in Linux a couple thousand dollars and make sure the hole gets fixed quickly. Obviously then it becomes a race for the companies to have their own employees find and fix the holes before outside developers do the same. Maybe have some lesser (since they're already getting a paycheck) bounty available to their own employees that find the holes and fix them.

As open as Linux is this kind of motivation could really bring in the eyeballs to make those holes shallow and get them patched up. Make the bounty $10,000 for critical bugs and maybe $2000 for lesser security bugs. If you get the kernel patched up then start working on libraries and then apps and by then it should be time to start looking at the kernel again.

Re:Linux needs a similar plan.

[GigsVT (208848)]

Artifex does a bug bounty for ghostscript, but it's for patches, not for reports. $500 or $1000, depending on how critical a bug you fix.

Re:Linux needs a similar plan.

[MikeFM (12491)]

I've heard of similar projects for Linux before but if they still exist I never hear anything about them. It really needs to be a well publized project if such a thing exists - otherwise people won't know about it and contribute.

Re:Linux needs a similar plan.

[freeweed (309734)]

Yeah, and considering the $10,000 applies to vulnerabilities rated as "critical", you'd hardly ever pay out.

A "critical" Windows flaw is one that allows remote exploitation. Find me a Linux distro in the past 3 or 4 years that is remotely exploitable in a default configuration, and *I'll* pay you the bounty.

$10 k isn't a lot for hackes

[madnuke (948229)]

That isn't a lot when you could sell the exploit on the internet like the WMF exploit was a snip at $5000 each, think how many people bought that in the malicous website, porn internet, fake-anti spyware companies like Win Hound. Some how I don't think this will last long.

Re:$10 k isn't a lot for hackes

[kebes (861706)]

Yes but the idea is obviously to encourage the "good guys" to find and report the holes before the "bad guys" find out about them. Most people would not trade security holes for cash on the black market, but they would certainly deliver them to a security company for pay.

Found it!

[Fr05t (69968)]

iexplore.exe

You may send the prize money to PO Box 3872, Moncton, NB, Canada

Shrewd business move for Verisign

[Weaselmancer (533834)]

They're investing in the first corporate-sponsored botnet. Now you can give your spam relay the corporate sponsorship it's always been craving! For an added bonus, we'll throw in a few auth certificates if you decide to become an elite Platinum Botnet customer!

Don't delay, act now! Really, we mean it. Because offer is only valid until Microsoft's next Critical Advisory.

In the words of Dilbert

[gasmonso (929871)]

Some Vista developer is saying to himself, "I'm gonna code me a minivan!"

http://religiousfreaks.com/ [religiousfreaks.com]

What if five people find the same flaw?

[autopr0n (534291)]

I mean, couldn't someone find a flaw, get together with 10 of his friends, and everyone reports it independantly? What happens then?

Re:What if five people find the same flaw?

[idef (955096)]

Correct - "Only the initial submission for a given vulnerability will qualify for the reward. "
http://labs.idefense.com/labs.php?show=21#a21 [idefense.com]

Michael Sutton
Director, iDefense Labs

Free Press - Contest is a joke...

[xxxJonBoyxxx (565205)]

"iDefense will change the focus of the challenge with each quarter -- the next challenge may focus on another vendor, or it may just center on particular class of vulnerabilities."

Or, iDefense may never pay any of the $10K prizes, citing independent discovery, not-really-critical status or just the fact that Verisign knows how to say "fuck you" better than almost anyone. Instead, they'll just get shitloads of free press for their cheesy security contest and a couple of marks will sign up for and/or buy whatever it is that Verisign/iDefense is hawking today.

Upcoming headline

[by Anonymous Coward]

Microsoft patches 87,000 critical flaws. Verisign files for bankruptcy protection.

Why only Windows?

[feranick (858651)]

Maybe I am provocative... Anyway: when are we going to have similar initiatives for OSX or linux?

Verisign??

[Rob T Firefly (844560)]

It's an interesting concept, but I wouldn't trust Verisign to get the tuna out of a can that had already been opened. I wonder what their deal is here.

IT industry focus

[msbsod (574856)]

If iDefense (Verisign) can come up with $10K per critical Microsoft Windows flaw, why can't HP (or any other party interested in a secure environment) come up with money to support the development of applications for their own, very secure operating system: HP OpenVMS [hp.com]? Why does this industry focus so much on Microsoft Windows and totally ignore alternatives?

Re:IT industry focus

[msbsod (574856)]

If that were true, then why bother with OS X, BSD, SCO :-), AIX, Linux, QNX, or any other software product not from Microsoft? Besides, my granny is heating her snuggery with an HP Integrity Superdome Server [hp.com].

Let's get the most obvious one out of the way

[by Anonymous Coward]

Users.

My prize may be donated to the Association for Smacking Stupid People Upside the Head.

Clank go the handcuffs

[TallMatthew (919136)]

"Here's your exploit, now where's my ten grand?"

"Sir, you've just violated the DMCA by making our mistakes public. Off to jail you go."

What about beta?

[TopSpin (753)]

If I discover an obscure remotely exploitable security flaw in a Microsoft beta product (thus, unlikely to lead to a "critical" advisory,) why should I not sit on it until a few months after release and get paid?

DMCA violation?

[sl4shd0rk (755837)]

Do the world a great service by finding windows bugs and then take it up the ass for 15 years when Shyster H. Lawyer decides to prosecute under the dmca because you took apart some binaries. Don't agree? Why do you think symantec and friends didn't want to mess with the BMG fiasco? Same reason. Microsoft made this mess, let them straighten it out.

I found a flaw!!!

[Khyber (864651)]

d:\setup.exe

I'll take my ten grand now. Oh wait, I found another one!!

explorer.exe

There's twenty grand you owe me now!

Re:I found a flaw!!!

[Feanturi (99866)]

Delete NTLDR and your system is safe forever.

Of course...

[Eric Damron (553630)]

the devil is in the details. Any really good flaw reported will fall just this side of critical. Not critical no $10,000.00. No bad press.

Re:More Incentive required to make this worthwhile

[mmkkbb (816035)]

The $10K is certain. The few hundred K is a risk (or not an option for those with scruples)

Re:More Incentive required to make this worthwhile

[mmkkbb (816035)]

No, I'm not insinuating anything about you. You read my post incorrectly.

I said that blackmailing for hundreds of thousands of dollars is not an option for those with scruples. There is no ambiguity in that sentence.

Re:More Incentive required to make this worthwhile

[mmkkbb (816035)]

My apologies, but I would've thought ANYONE on Slashdot would know it's illegal and immoral and runs the risk of prision? That's common knowledge?

OK, in the root of this thread, in the subject line, you say that more incentive is required to make this offer worthwhile. My reply and the GP state that there is, in fact, a possibility that there are security researchers who would rather have bugs fixed and get a smaller reward than risk prison time for a larger purse that may end up being nothing. This may be

Re:WTF?

[mythosaz (572040)]

(a) There is no telling how many remain. Windows may be getting close to "tight" in terms of remote exploitability, or it may still have several gaping holes. RPC-based exploits (the "real" dangerous ones) seem to have been closed for a while. It's mostly overflows and breakouts now, and mostly on user-initiated processes. [User-initiated processes don't spread like wildfire inside of corporate networks, like RPC-type flaws. Dangerous, but not panic-level stuff...]

(b) People pay for these exploits beca

Re:WTF?

[jlarocco (851450)]

Why would "russian hacker groups" be paying thousands of dollars for unpatched expliots? Not many remaining?

I didn't RTFA, but I'd guess it goes something like:

1. Pay thousands of dollars for working Windows exploit
2. Create code that uses the exploit to install keyloggers or other nastiness
3. ???
4. Profit!!

Re:Windows research is clearly more profitable...

[LordLucless (582312)]

There's no inherent security architecture protecting Firefox, Linux, OSX that doesn't also exist in Windows.

That's total bollocks. Granted, the fact that windows is more popular than linux is *one* factor that discourages malware for linux, but it's far from the only one.

Linux systems are designed to be run by users, and administered as root. Windows systems, by and large, are impossible to run as anything but root - many programs require root access to work properly, and Windows (up until recently) never had the equivelant of a linux sudo to get around that requirement. Windows developers have been encouraged for years to write programs dependant on root access. Execute permissions prevent accidental execution of malware on Linux, as does not having a stupid system of extensions which are so easily spoofed (especially when default windows behaviour is to hide recognized extensions!). The move over to NTFS was good, but it only really hit the public with XP. I still know many people using FAT-based systems. How long has Linux been running a permissions-based filesystem? There's a few architectural security advantages Linux has over windows. On the more abstract level, being open source gives Linux the potential to be more secure - it's hard to hide critical vulnerabilities in Linux, whereas MS has a history of doing so for windows.

Firefox is another issue entirely; it's an application, not an OS. But comparing it to MS's Internet Explorer, it's far and away more secure. It doesn't install things behind the user's back, as MS IE does so very often. It doesn't allow the incredibly-insecure ActiveX components. I've never had a spyware infection or browser hijack simply by browsing in firefox. On my new laptop, however, I was browsing around using IE while I waited for firefox to download, and in between the time it took to start the download, and the time it had finished, IE had managed to install a little bugger called Aurora for me . Thanks IE!

Re:Windows research is clearly more profitable...

[drsmithy (35869)]

Linux systems are designed to be run by users, and administered as root. Windows systems, by and large, are impossible to run as anything but root - many programs require root access to work properly, [...]

This is solely an application problem. It has _nothing_ to do with Windows.

[...] and Windows (up until recently) never had the equivelant of a linux sudo to get around that requirement.

It's always had the functionality.

Windows developers have been encouraged for years to write programs dependant on

Re:Windows research is clearly more profitable...

[LordLucless (582312)]

Encouraged how ? What Microsoft documentation can you provide showing that developers have been told to write applications dependant on Administrator level access ? How do you reconcile this claim with the requirement of the "Made for Windows XP" logo that applications must run in a normal user account ?

They encouraged it prior to the release of XP. Then they released XP, and changed the way programs are supposed to perform OS operations. Ok, that was a good step. But you can't expect millions of program

Re:Windows research is clearly more profitable...

[LordLucless (582312)]

Heh ... so smug, so laughable