Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
Security Linux

Rewards of Up to $500,000 Offered for FreeBSD, OpenBSD, NetBSD, Linux Zero-Days (bleepingcomputer.com) 91

Exploit broker Zerodium is offering rewards of up to $500,000 for zero-days in UNIX-based operating systems like OpenBSD, FreeBSD, NetBSD, but also for Linux distros such as Ubuntu, CentOS, Debian, and Tails. From a report: The offer, first advertised via Twitter earlier this week, is available as part of the company's latest zero-day acquisition drive. Zerodium is known for buying zero-days and selling them to government agencies and law enforcement. The company runs a regular zero-day acquisition program through its website, but it often holds special drives with more substantial rewards when it needs zero-days of a specific category. The US-based company held a previous drive with increased rewards for Linux zero-days in February, with rewards going as high as $45,000. In another zero-day acquisition drive announced on Twitter this week, the company said it was looking again for Linux zero-days, but also for exploits targeting BSD systems. This time around, rewards can go up to $500,000, for the right exploit.
This discussion has been archived. No new comments can be posted.

Rewards of Up to $500,000 Offered for FreeBSD, OpenBSD, NetBSD, Linux Zero-Days

Comments Filter:
  • by Joce640k ( 829181 ) on Friday June 29, 2018 @11:00AM (#56865850) Homepage

    Meanwhile: Windows exploits are still only worth $2.

    • by Anonymous Coward
      Based on the table embedded in the article, they are more expensive than the Linux ones.
      • Full credit to Microsoft though, they used to be Ten-a-Penny.

        (And before that they were free: Outlook used to simply execute any code that arrived in your inbox)

  • We already have more than enough for Windows and MacOS, no need to pay for anything there.

    • Re:In other words (Score:4, Insightful)

      by gweihir ( 88907 ) on Friday June 29, 2018 @11:21AM (#56865992)

      Pretty much this. Nobody would pay _this_ much for exploits for anything that was easy to attack. There is a good chance they will not actually get many exploits and probably nothing at all in the higher classes. Otherwise they would not offer this much.

      It is funny however, how some completely clueless morons here think this somehow says these OSes are inferior or that exploits in this price-range will ever be used for mass-attacks.

  • by Anonymous Coward

    This makes me sad. People working on open source projects get nothing. Sometimes they get some money. Sometimes they get some fame. People who don't build anything, but find a hole, they are heroes, they get prizes, they are worshiped.

    If there is a commonly used open source library without hackable bugs, you won't even hear about the author who committed his/her own time to build reliable software.

    If someone finds a bug, then she will get some prize, and will be invited to a conference. And the library auth

  • The scary part (Score:5, Insightful)

    by Anonymous Coward on Friday June 29, 2018 @11:10AM (#56865906)

    Being OSS systems, there's now real incentive for bad actors to try to INSERT "Zero day" exploits in to mainline code, putting yet even more pressure maintainers to try and keep them.

    • Creating a zero day so obscure that nobody notices and then you sell it.
      Wondering if the price is the same even if you write the bug...

      now... let me see the quality of systemd code...

      • by raymorris ( 2726007 ) on Friday June 29, 2018 @11:35AM (#56866094) Journal

        > now... let me see the quality of systemd code

        That's where I would go looking. Lennart Poettering has been pretty clear that his perspective is that it's not his job, or the job of the systemd developers, to write secure, robust code. It's the job of the annoying security people to point out the security issues and then convince him that the problem is so bad it absolutely must be fixed - even though that takes up time that could instead be used to make systemd bigger and more comprehensive.

        The last time I saw a similarly bad attitude about security was WordPress about 12 years ago. The leadership at WordPress got a better attitude after the media reported widespread exploits of exactly the kinds of exposures I had warned them about a couple years before.

    • Yes.... Reminds me of Dilbert where the PHB announces a new bug bounty program and the software developers leave the meeting commenting that they need to get going as they were gonna write up a new car over the weekend.

  • Step 1) Create an init system riddled with vulnerabilities and bad code
    Step 2) ?
    Step 3) Profit!

    And now we know that step 2 is to sell them to Zerodium

  • by account_deleted ( 4530225 ) on Friday June 29, 2018 @11:49AM (#56866178)
    Comment removed based on user account deletion
  • by martiniturbide ( 1203660 ) on Friday June 29, 2018 @11:59AM (#56866238) Homepage Journal
    Here goes my bid !!!
  • 0-day exploit in OpenBSD? Hahahaha
    • Re: (Score:2, Insightful)

      by Anonymous Coward

      0-day exploit in OpenBSD?

      Hahahaha

      I suppose the reason why OpenBSD has the record it has is that they don't laugh at questions like that.

Some people manage by the book, even though they don't know who wrote the book or even what book.

Working...