Metasploit Launches Exploit Bounty Program

Trailrunner7 writes "The team behind the Metasploit Project is launching its own version of a bug bounty program: cash payouts for working exploits. The group is hoping to get exploit code for as many of its top 30 vulnerabilities as possible before the program expires later this summer. The amount of money paid for a working exploit module for Metasploit depends on the value of the vulnerability. A module for one of the vulnerabilities in the top five list — which includes a flaw in Google Chrome and another in the Windows DNS client — is worth $500. Modules for vulnerabilities in the separate top 25 list are worth $100 each under the rules."

Re:

[Drethon]

The first thing that comes up with the Windows Phone... seems appropriate to the not so subtle hint here

Caveat

[93 Escort Wagon]

Modules for vulnerabilities in the separate top 25 list are worth $100 each under the rules.

Unfortunately the bounties are being paid using Bitcoin.

Not bad, but more than $100.

[elucido]

If they are only paying $100 to write the code, that's just cheap.

When the bounties reach $1000, and there are plenty of bounties to choose from that could work.

Re:

[elucido]

is it illegal to write an exploit?

I think they might need to offer more money

[elucido]

If the price is right, I and others might take them up on their offer.
$500 isn't enough money. I can't even buy a decent computer with that.

They need to offer at least $1000, and if it's an exploit that has to be exactly what they are looking for then it should be several thousand.

Re:

[0100010001010011]

Considering google Is offering $1337 [computerworld.com] it really doesn't seem like a lot.

Re:

[elucido]

$1337 is enough money to buy a brand new computer. It's enough money to pay rent for a month. That's the kind of money that would make me invest the time.

And of course they need a system of determining who is working on what and some sort of reservation system. If I agree to write code, I don't want anyone else writing the same code. Anyway it's a start, and I hope more companies and websites start offering these kinds of bounties. They won't have any problem finding people looking to write exploit code in

Re:

[ginbot462]

Not california or new england. But, would work in the south.

Re:

[Julie188]

My thoughts exactly. Mozilla and Google are offering about $3,000 for exploits and TippingPoint has got a whole multi-tiered points-scheme for them. Some of the exploits they want modules for look pretty complicated, and worth more than $100. But given that many people would contribute to Metasploit for free, I suppose its still a nice Bug Bounty experiment.

Julie

Re:

[Anonymous Coward]

This is a completely false analogy. Mozilla, Google, and TippingPoint have bounty programs to buy *bugs* (not exploits) that have not been previously disclosed. This program is looking for *exploits* for bugs that have already been made public. While there's a huge difference in the amount of effort required to develop reliable exploit code versus simply identifying a vulnerability, the fact that the bugs are already public significantly decreases the value these exploits could fetch on alternative marke

Re:

[elucido]

This is a completely false analogy. Mozilla, Google, and TippingPoint have bounty programs to buy *bugs* (not exploits) that have not been previously disclosed. This program is looking for *exploits* for bugs that have already been made public. While there's a huge difference in the amount of effort required to develop reliable exploit code versus simply identifying a vulnerability, the fact that the bugs are already public significantly decreases the value these exploits could fetch on alternative markets. Considering it's all in the name of community effort and everything will be released under a BSD license, it seems like this is supposed to be a way to reward contributors who might have written these exploits anyway and be just enough to convince potential contributors to pitch in, rather than a true "pay people for their work" scenario.

Nah, they are just doing this because they can get most of the code written by kids in India somewhere where $100 means something.

it's about time

[v1]

I'm amazed it took this long for this public of a bounty to get going. The blackhat market has traded in exploits for years now, and vendors have just now really started getting on the bug-bounty-bandwagon, it was only a matter of time before metasploit and other popular "other side of the fence" offers came up. I wonder what Zeus's authors are paying nowadays? And I wonder what exactly the results of competition in this sector will be? (good for us? bad for us? just a good show?)

Re:

[elucido]

Definitely good. Most of this exploit code looks trivial to write, just time consuming.

The more money they put up to allow people to make money, the more people they'll have writing exploit code.

Let the market decide the price

[Anonymous Coward]

Surely the best thing for them to do would be to let the market decide the price. People can then 'bid' to be the person that received information about the vulnerability, and then other people can try to outbid them if they value that exploit more. Metasploit could then take a cut of the price, just like eBay.

Companies particularly interested in getting information first about exploits in their software could bid high to ensure their offer is always taken up first.

Re:

[elucido]

That is actually a very good idea.

Too Little

[Anonymous Coward]

I like Metasploit and I know they haven't got the funds for big bounties but $100 is a joke. I can make that sort of money doing an hour of code review consulting work rather than spending a week trying to find some elusive BoF with zero-knowledge. Anything less than a few grand just isn't worth it when you can get a much greater return of investment of your effort elsewhere.