Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Metasploit Launches Exploit Bounty Program

Soulskill posted more than 3 years ago | from the lighting-a-fire dept.

Security 26

Trailrunner7 writes "The team behind the Metasploit Project is launching its own version of a bug bounty program: cash payouts for working exploits. The group is hoping to get exploit code for as many of its top 30 vulnerabilities as possible before the program expires later this summer. The amount of money paid for a working exploit module for Metasploit depends on the value of the vulnerability. A module for one of the vulnerabilities in the top five list — which includes a flaw in Google Chrome and another in the Windows DNS client — is worth $500. Modules for vulnerabilities in the separate top 25 list are worth $100 each under the rules."

cancel ×

26 comments

Sorry! There are no comments related to the filter you selected.

First Bug (0)

Anonymous Coward | more than 3 years ago | (#36438976)

Here's the trace: System Error [microsoft.com] .

Enjoy.

Yours In Osh,
K. Trout

Re:First Bug (1)

Drethon (1445051) | more than 3 years ago | (#36439022)

The first thing that comes up with the Windows Phone... seems appropriate to the not so subtle hint here

How much for an exploit of Metasploit? (0)

Anonymous Coward | more than 3 years ago | (#36439040)

Something that would send IP address and personal information from the local hard drive to a central server?

Caveat (2, Funny)

93 Escort Wagon (326346) | more than 3 years ago | (#36439042)

Modules for vulnerabilities in the separate top 25 list are worth $100 each under the rules.

Unfortunately the bounties are being paid using Bitcoin.

Re:Caveat (-1)

Anonymous Coward | more than 3 years ago | (#36439072)

And a ride on Bubba's cock.

Not bad, but more than $100. (1)

elucido (870205) | more than 3 years ago | (#36439230)

If they are only paying $100 to write the code, that's just cheap.

When the bounties reach $1000, and there are plenty of bounties to choose from that could work.

Re:Caveat (0)

Anonymous Coward | more than 3 years ago | (#36439650)

Actually, AMEX gift cards.

Sounds like a honeypot (-1)

Anonymous Coward | more than 3 years ago | (#36439102)

Seriously, in order to get paid somebody needs to know who you are. Who you really are. Even if Metasploit isn't collecting this information to compromise you, anyone who gets into Metasploit (legally or not) will then have all the personal information of anyone who writes one of these exploits.

Makes them a giant target offering a huge collection of exploit writers.

Re:Sounds like a honeypot (1)

elucido (870205) | more than 3 years ago | (#36445666)

is it illegal to write an exploit?

I think they might need to offer more money (1)

elucido (870205) | more than 3 years ago | (#36439160)

If the price is right, I and others might take them up on their offer.
$500 isn't enough money. I can't even buy a decent computer with that.

They need to offer at least $1000, and if it's an exploit that has to be exactly what they are looking for then it should be several thousand.

Re:I think they might need to offer more money (2)

0100010001010011 (652467) | more than 3 years ago | (#36439194)

Considering google Is offering $1337 [computerworld.com] it really doesn't seem like a lot.

Re:I think they might need to offer more money (2)

elucido (870205) | more than 3 years ago | (#36439280)

$1337 is enough money to buy a brand new computer. It's enough money to pay rent for a month. That's the kind of money that would make me invest the time.

And of course they need a system of determining who is working on what and some sort of reservation system. If I agree to write code, I don't want anyone else writing the same code. Anyway it's a start, and I hope more companies and websites start offering these kinds of bounties. They won't have any problem finding people looking to write exploit code in this economy.

Re:I think they might need to offer more money (0)

Anonymous Coward | more than 3 years ago | (#36441318)

the more people writing the same exploits the better. first working sploit wins the cash. you lose if you're too slow, simple as that.

Re:I think they might need to offer more money (0)

Anonymous Coward | more than 3 years ago | (#36447314)

Where the heck do you live ? That would cover my rent for 2 weeks :-(

Re:I think they might need to offer more money (1)

ginbot462 (626023) | more than 3 years ago | (#36450852)

Not california or new england. But, would work in the south.

Re:I think they might need to offer more money (2)

Julie188 (991243) | more than 3 years ago | (#36440012)

My thoughts exactly. Mozilla and Google are offering about $3,000 for exploits and TippingPoint has got a whole multi-tiered points-scheme for them. Some of the exploits they want modules for look pretty complicated, and worth more than $100. But given that many people would contribute to Metasploit for free, I suppose its still a nice Bug Bounty experiment.

Julie

Re:I think they might need to offer more money (1)

Anonymous Coward | more than 3 years ago | (#36444010)

This is a completely false analogy. Mozilla, Google, and TippingPoint have bounty programs to buy *bugs* (not exploits) that have not been previously disclosed. This program is looking for *exploits* for bugs that have already been made public. While there's a huge difference in the amount of effort required to develop reliable exploit code versus simply identifying a vulnerability, the fact that the bugs are already public significantly decreases the value these exploits could fetch on alternative markets. Considering it's all in the name of community effort and everything will be released under a BSD license, it seems like this is supposed to be a way to reward contributors who might have written these exploits anyway and be just enough to convince potential contributors to pitch in, rather than a true "pay people for their work" scenario.

Re:I think they might need to offer more money (1)

elucido (870205) | more than 3 years ago | (#36445680)

This is a completely false analogy. Mozilla, Google, and TippingPoint have bounty programs to buy *bugs* (not exploits) that have not been previously disclosed. This program is looking for *exploits* for bugs that have already been made public. While there's a huge difference in the amount of effort required to develop reliable exploit code versus simply identifying a vulnerability, the fact that the bugs are already public significantly decreases the value these exploits could fetch on alternative markets. Considering it's all in the name of community effort and everything will be released under a BSD license, it seems like this is supposed to be a way to reward contributors who might have written these exploits anyway and be just enough to convince potential contributors to pitch in, rather than a true "pay people for their work" scenario.

Nah, they are just doing this because they can get most of the code written by kids in India somewhere where $100 means something.

it's about time (1)

v1 (525388) | more than 3 years ago | (#36439190)

I'm amazed it took this long for this public of a bounty to get going. The blackhat market has traded in exploits for years now, and vendors have just now really started getting on the bug-bounty-bandwagon, it was only a matter of time before metasploit and other popular "other side of the fence" offers came up. I wonder what Zeus's authors are paying nowadays? And I wonder what exactly the results of competition in this sector will be? (good for us? bad for us? just a good show?)

Re:it's about time (2)

elucido (870205) | more than 3 years ago | (#36439316)

Definitely good. Most of this exploit code looks trivial to write, just time consuming.

The more money they put up to allow people to make money, the more people they'll have writing exploit code.

Let the market decide the price (1)

Anonymous Coward | more than 3 years ago | (#36439202)

Surely the best thing for them to do would be to let the market decide the price. People can then 'bid' to be the person that received information about the vulnerability, and then other people can try to outbid them if they value that exploit more. Metasploit could then take a cut of the price, just like eBay.

Companies particularly interested in getting information first about exploits in their software could bid high to ensure their offer is always taken up first.

Re:Let the market decide the price (1)

elucido (870205) | more than 3 years ago | (#36439334)

That is actually a very good idea.

Coders Intentionally Create a Flaw...Then Ca$h In? (0)

Anonymous Coward | more than 3 years ago | (#36439310)

I foresee programmers intentionally creating a flaw that will get their code on the list, then they'll "fix" it and get paid.

$100 bounty is an insult (0)

Anonymous Coward | more than 3 years ago | (#36439806)

I've heard about $20-40K (cashed in) bounties for real life exploits ...
$100 is an insult.

Too Little (1)

Anonymous Coward | more than 3 years ago | (#36447150)

I like Metasploit and I know they haven't got the funds for big bounties but $100 is a joke. I can make that sort of money doing an hour of code review consulting work rather than spending a week trying to find some elusive BoF with zero-knowledge. Anything less than a few grand just isn't worth it when you can get a much greater return of investment of your effort elsewhere.

On Windows DNS ClientCache & more (0)

Anonymous Coward | more than 3 years ago | (#36450266)

I wrote a response to a MS Manager who posts here, Foredecker, more than 2++ yrs. ago here on this very site and in emails to he (as well as posts on MS' own sites to Mr. Steven Sinofsky):

This is specifically where he ADMITS that I was correct too, because using 0 creates a SMALLER HOSTS FILE TO PARSE, period:

http://slashdot.org/comments.pl?sid=1467692&cid=30384918 [slashdot.org]

That was also in regards to problems with the local DNS cache, AND, in how Windows VISTA, 7, & Server 2008 have ruined a more efficient way to process HOSTS file data!

(By disallowing using 0 as a blocking "address", after the 12/09/2008 MS "Patch Tuesday" fix - Windows 2000/XP/Server 2003 can STILL USE 0!)

The point there was that using 0 as a blocking IP address, IS MORE EFFICIENT (especially in larger HOSTS files, which I elect to use to protect myself for more "layered security" vs. malware & such) vs. the larger & slower 0.0.0.0 or 127.0.0.1 (largest & slowest of them all - plus, it incurs the "loopback operation" as well, the other 2 just "blackhole")).

He said he'd get back to me on it... think he did? No. Was this corrected, so it operates as efficiently as Windows 2000/XP/Server 2003 do?? Again, no...

(Funniest part is, he is/was the SENIOR VP of the "Windows Client Performance Division", & you'd think he was interested in gaining greater performance out of them! Apparently not!)

You can point out corrections to these people ALL DAY, & you'll get the answer I did from him:

"You're micro-optimizing"

Funny answer that!

Especially from the guy who is/was SENIOR VP OF THE MICROSOFT WINDOWS CLIENT PERFORMANCE DIVISION, eh? Not!

APK

P.S.=> The local DNS client cache service CHOKES on larger HOSTS files... the structure it loads into is LIMITED IN SIZE/STATIC, & that's a problem (I am fairly certain) in it, for one thing (in addition to the ability to send it bogus data to make it screw up)... apk

Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?