Beta

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

VeriSign Puts Flaw Bounty on Vista and IE7

samzenpus posted more than 7 years ago | from the bug-money dept.

Security 91

rchris1172 writes "VeriSign's iDefense Labs has placed an $8,000 bounty on remote code execution holes in Windows Vista and Internet Explorer 7. As part of its its controversial pay-for-flaw VCP (Vulnerability Contributor Program), iDefense said it will pay the reward for each submitted vulnerability that allows an attacker to remotely exploit and execute arbitrary code on either of the two Microsoft products. In addition to the $8,000 award for the flaw, iDefense will pay between $2,000 and $4,000 for working exploit code that exploits the submitted vulnerability."

cancel ×

91 comments

Sorry! There are no comments related to the filter you selected.

Only 8k? (5, Interesting)

Anonymous Coward | more than 7 years ago | (#17548402)

Only 8k for bugs which go on the market for 15-100k each exploit? Surely you jest, no self righteous will go for such a scam.

Wonder what they're really worth? (1)

Kadin2048 (468275) | more than 7 years ago | (#17548666)

Yeah I think they're seriously underestimating what a brand-new remote code execution flaw would be worth to the Russian mob. I'm pretty sure $8,000 is a lowball estimate.

Although I suppose you could play both ends against each other, if you were ballsy enough; sell it to Verisign and the mob. Too bad I have this silly fear of death.

Re:Wonder what they're really worth? (5, Funny)

Anonymous Coward | more than 7 years ago | (#17549620)

Too bad I have this silly fear of death
Yeah I wouldn't mess around with those Verisign guys either.....

Re:Only 8k? (0)

Anonymous Coward | more than 7 years ago | (#17548670)

Yeah, $8k is an insult to an serious vulnerability researcher.

Re:Only 8k? (2, Insightful)

w33t (978574) | more than 7 years ago | (#17548726)

Only 8k for bugs which go on the market for 15-100k each exploit? Surely you jest, no self righteous will go for such a scam.

Then perhaps the simply righteous will step up.

"perhaps the simply righteous will step up" (2, Insightful)

tlambert (566799) | more than 7 years ago | (#17551218)

"perhaps the simply righteous will step up"

Yeah, and "the righteous" could code, then there wouldn't be any exploits in the first place. 8-).

-- Terry

Re:Only 8k? (1)

Animaether (411575) | more than 7 years ago | (#17554738)

Only 8k for bugs which go on the market for 15-100k each exploit? Surely you jest, no self righteous will go for such a scam.

Then perhaps the simply righteous will step up.



Whereas the truly righteous would have stepped up regardless of bounty. The simply righteous who would have stepped up before, but are now thinking "wait a second.. I can get money for this that isn't crook money? Right on!".. well. Them - 1:0 - humanity.

Re:Only 8k? (1)

w33t (978574) | more than 7 years ago | (#17563100)

By your argument we shouldn't have to pay police officers or indeed any public servants. It sounds to me that you are saying that doing anything helpful for payment is doing it for the wrong reason.

Well, if you need to eat, then you need to do something to get money. If there is no money in helping, then time you would spend helping will have to be spent making money instead - thus less help occurs.

But if you can get payed for helping, then you are getting money for food AND helping at the same time. This equates to more time spent helping since there is financial and real compensation involved.

Admitted, 8k is not much money. But if you find 10 vulnerabilities per year, well heck, that's not a terrible way to supplement an income. Let it be seen, too, that by making the 8k you have cost a harmer $50k by not allowing him to sell the exploit - thus you could see yourself as having made 8k and cost the competition $50k. That's good satisfaction - since you have helped even more by eliminating so much harm.

Of course, we have now run into the connundrum of harming the harmers - is this allowed? Is denying something to someone considered harm if the harm they would wreak by having this thing is greater?

Are we talking the lesser of two evils?

In this case, "do no harm" will actually allow more harm to occur. So should we instead live by a, "allow none to harm" philosophy?

Here the slope doth become slippery.

Re:Only 8k? (1)

Animaether (411575) | more than 7 years ago | (#17590424)

I agree on most of your points, but I disagree on the premise..

You say that by my argument, cops shouldn't get paid.. not at all. The comparison person for a cop would be somebody who actually works for a security firm. If you run it that way, then it becomes a matter of a paid security firm guy deciding against telling people about a flaw because they want to see -additiona- money first. It's like a cop who already gets paid to do his job saying "I found the rapist.. but I'll want $12,000 before I tell you where he is, or he walks".

Going back then to somebody whose job isn't with a security firm / whatever.. if I as a lone person see a crime comitted, should I hold out until they start offering witness rewards before telling the police what I saw? Tell me that's perfectly fine, and I say Them - 2:0 - Humanity

Put differently.. if you want to see money for the flaws you find - go get a job at a security firm, or start your own :)

Mind you - I'm not complaining about people who found a flaw and were going to report it anyway and see "wait, I can get 8k for this - let me go with that route".. good on them. I'd be complaining about the people who might go that route, fall short of the money-getting period, and then decide that they're not going to report it.. let it just sit, or sell it to evil-doers, or do evil with it themselves.

THROW IN A BAG OF CRACK WITH IT (-1, Offtopic)

Anonymous Coward | more than 7 years ago | (#17548804)

and we'll call it even..

Re:Only 8k? (2, Insightful)

jt2377 (933506) | more than 7 years ago | (#17549260)

you're legally getting pay for the bug that you report. those black market seller and buyer if caught, can face jail time with your new jail mate bubba. you better hope you don't drop your soap during shower.

Re:Only 8k? (2, Interesting)

WK1 (987981) | more than 7 years ago | (#17549480)

I assume Verisign will actually pay you, while the mob might not. The mob may also turn you in in the future to save their own butts.

Most criminals will actually buy their own stuff, even though they could just steal it. There are advantages to doing things the legal way. Crime pays, but only until you get caught.

Re:Only 8k? (1)

Duncan3 (10537) | more than 7 years ago | (#17549732)

Glad someone brought this up already. It's very widely known that 50k is lowball for Vista holes.

This is very good for security researchers tho, as we can't go sell to the Russians.

Re:Only 8k? (1)

Plutonite (999141) | more than 7 years ago | (#17549964)

And how do you know this?

A lot of people talk about the "black market" but very few have ever been involved. There is so much collaboration now between intelligence and ISPs that it is quite difficult to make big money without having your butt exposed. I personally have never tried, despite being very interested in this "field", but from what I hear much of the money comes from bots/adware as opposed to the hollywood-ish hack-a-bank for the mafia nonsense.

Perhaps some of the more involved Anonymous Cowards can tell us more about the [evil]market?

Re:Only 8k? (1)

TheThiefMaster (992038) | more than 7 years ago | (#17554504)

You could always sell it to both groups.

The ping of death (2, Interesting)

compandsci (1045690) | more than 7 years ago | (#17548428)

I remember that win 95 had a flaw that allowed anyone to DoS the computer over the network.
This was hilarious to use at the LAN parties.

It would be good fun if someone found a similar flaw with vista and wrote a Linux client for it :)

Re:The ping of death (0)

Anonymous Coward | more than 7 years ago | (#17553530)

Windows 98 too. Large ping packets (>64kb) caused an integer overflow which made the offending (and they are offensive) systems crash and/or unreliable in the extreme.

With Vista having a new networking stack, the possibility of something like this is remarkably high.

Economics 101 or Why I Love Bounties (4, Funny)

WillAffleckUW (858324) | more than 7 years ago | (#17548450)

1. Put bounty of $8000 on bugs for Vista and IE7.

2. Get friend to go work at MSFT.

.

4. PROFIT!

Re:Economics 101 or Why I Love Bounties (4, Insightful)

Drawkcab (550036) | more than 7 years ago | (#17548558)

What would you be offering in that equation that would lead to profit for you rather than your friend? Finding exploits is non-trivial even with the code in front of you. And if the guy is working at Microsoft with full access to the source repository and a talent for spotting this sort of thing, they're already making at least $8000 a month anyway (which they don't have to split with you), and could probably be amply rewarded in their career if they made a habit of finding and fixing those exploits.

Re:Economics 101 or Why I Love Bounties (1)

textstring (924171) | more than 7 years ago | (#17548632)

Quite right you are pointing out the missing step, here it is:

3. ???

Re:Economics 101 or Why I Love Bounties (3, Funny)

WillAffleckUW (858324) | more than 7 years ago | (#17548812)

Quite right you are pointing out the missing step, here it is:

3. ???


Darn. Guess you get the US $8000 bounty. Now, let's see, that's about 2 Euros, right?

Re:Economics 101 or Why I Love Bounties (2, Funny)

dreddnott (555950) | more than 7 years ago | (#17548702)

I think the way that you would want to do it, and the way that the grandparent poster probably intended, is to have your friend work at Microsoft, put in his OWN bugs and holes in the code, and tell you what the vulnerabilities are so that YOU to write exploit code for it and get the money.

This would probably work until QA at Microsoft tracked down the singular source of most of the exploited vulnerabilities in the past few months.

Considering the number and regularity of vulnerabilities in Microsoft software recently, I wouldn't be surprised if one of their employees was already doing this, but selling them on the more lucrative black market instead.

Re:Economics 101 or Why I Love Bounties (4, Funny)

Atario (673917) | more than 7 years ago | (#17553574)

--------joke------------>

      O
     /|\      <--- you
      |
     / \

Makes me wonder... (0)

Anonymous Coward | more than 7 years ago | (#17548822)

Wouldn't internal Microsoft employees be able to look up bugs that only they know about and then sell those off to third parties to exploit?

Assuming they're not doing this already, that is.

So this is Microsoft's long term profit strategy.. (1)

Odiumjunkie (926074) | more than 7 years ago | (#17548456)

use insider knowledge of their own software to extract trillions of dollars from VeriSign!

Come on, no-one actually thought people could use MS software for anything else did they?

If you read TFA.. (2, Informative)

ganjadude (952775) | more than 7 years ago | (#17548580)

If you read TFA you would see that they are only offering 6 8K rewards, its not unlimited, you cannot make trillions.

Re:So this is Microsoft's long term profit strateg (1)

dreamlax (981973) | more than 7 years ago | (#17553804)

use insider knowledge of their own software to extract trillions of dollars from VeriSign!

Why make trillions when you could make . . . billions?

Four Steps to Profit (0, Redundant)

Glacial Wanderer (962045) | more than 7 years ago | (#17548478)

1) Go get a job at Microsoft
2) Work some of my magic mojo on the next version of Windows
3) Quit my job at Microsoft
4) Profit!!!

Re:Four Steps to Profit (4, Informative)

creimer (824291) | more than 7 years ago | (#17548540)

Didn't you read the fine print... current/former Microsoft employees not allowed. Otherwise, every anonymous coward at Microsoft would get the same idea and sabotage Vista/IE7 to collect the reward. Crime isn't supposed to pay if you're non-monopolist!

Re:Four Steps to Profit (2, Insightful)

Sosarian (39969) | more than 7 years ago | (#17549174)

Microsoft is in the habit of knowing about bugs but won't fix because if it's not out in the wild.

They could turn in bugs they already know about :)

Re:Four Steps to Profit (0, Flamebait)

bronzey214 (997574) | more than 7 years ago | (#17551508)

This is /.!!!

We don't read TFA much less the fine print!

Re:Four Steps to Profit (1)

creimer (824291) | more than 7 years ago | (#17551742)

So you're admitting that you didn't get the memo either? Figures... :p

Effective... (5, Insightful)

clifgriffin (676199) | more than 7 years ago | (#17548508)

While others may scoff at 8,000 dollars, people are spending hundreds of hours on projects that are bringing in much less if anything. This is a good way to give people healthy motivation and reveal vulnerabilities early...before they make headlines.

So, not so stupid. Unlike most of the posts on this article so far.

Re: Effective (1)

TobyRush (957946) | more than 7 years ago | (#17548740)

$8000 is a substantial reward. However, though we're free to use any methods necessary, Darth wants them ALIVE. No disintegrations!

Re:Effective... (0)

Anonymous Coward | more than 7 years ago | (#17548742)

Anyone could broker a deal with the bad guys for more money. In some parts of the world it's big money but $8000 would short-change most of us for 2-3 months work. If I was bug-hunting a turd like Vista I'd want more money than that, MSFT would probably offer more money if a researcher put a price on non-disclosure - it's not like they're in a position to complain about ethics.

Re:Effective... (4, Insightful)

LoudMusic (199347) | more than 7 years ago | (#17548864)

While others may scoff at 8,000 dollars, people are spending hundreds of hours on projects that are bringing in much less if anything. This is a good way to give people healthy motivation and reveal vulnerabilities early...before they make headlines.

So, not so stupid. Unlike most of the posts on this article so far.
Except that not everyone, in fact very few, will eventually be given a reward while hundreds of thousands of individuals spend possibly hundreds of hours each searching for flaws.

What it's really doing is getting those hundreds of thousands of individuals to do someone else's (Microsoft's) job for them for damn near free.

Re:Effective... (2, Insightful)

Eskarel (565631) | more than 7 years ago | (#17549176)

If hundreds of thousands of individuals spend hundreds of hours searching for bugs and only a very few find anything they can cash in, then Microsoft has already done it's job. Verisign just wants to make sure they have.

Re:Effective... (1)

LoudMusic (199347) | more than 7 years ago | (#17556532)

If hundreds of thousands of individuals spend hundreds of hours searching for bugs and only a very few find anything they can cash in, then Microsoft has already done it's job. Verisign just wants to make sure they have.
I guess that depends on how you define very few. For simplicity sake lets call it 1%. 1% of hundreds of thousands is still thousands

How is thousands of flaws defined as a good job?

Re:Effective... (1)

staticdaze (597246) | more than 7 years ago | (#17549862)

Except that not everyone, in fact very few, will eventually be given a reward while hundreds of thousands of individuals spend possibly hundreds of hours each searching for flaws.

What it's really doing is getting those hundreds of thousands of individuals to do someone else's (Microsoft's) job for them for damn near free.

If it takes hundreds of thousands of individuals at hundreds of hours each to find a bug in a product, I would say that Microsoft already did a damn fine job.

Re:Effective... (1)

staticdaze (597246) | more than 7 years ago | (#17550092)

Erm...haven't refreshed in a while, Eskarel said the same thing a few hours prior. Direct all moderation at him :)

Moar money (5, Funny)

zecg (521666) | more than 7 years ago | (#17548528)

"In addition to the $8,000 award for the flaw, iDefense will pay between $2,000 and $4,000 for working exploit code that exploits the submitted vulnerability."

The company spokesman also added they'll double the bounty if the submitter already used the exploit to build a botnet and triple it if promises to use it to send a metric assload of e-mails with the subject "ha-ha" to everyone@microsoft.com.

Re:Moar money (1)

Aminion (896851) | more than 7 years ago | (#17549880)

if promises to use it to send a metric assload of e-mails with the subject "ha-ha" to everyone@microsoft.com.
How many rods to the hogshead is that?

fix in 1 day?? (1)

ganjadude (952775) | more than 7 years ago | (#17548546)

Did microsoft have a change of management already???

FTA:Microsoft typically frowns on the broker market for flaws in its products. "We do not believe that offering compensation for vulnerability information is the best way [researchers] can help protect customers," the company said during the last iDefense hacking challenge.

"Microsoft believes that responsible disclosure, which involves making sure that an update is available from software vendors the same day the vulnerability is first broadly known, is the best way to protect the end user," a Microsoft spokesperson, in Redmond, Wash., said at that time.

Re:fix in 1 day?? (1)

HeroreV (869368) | more than 7 years ago | (#17550282)

Why tell the truth if you're going to get your quote published regardless?

Re:fix in 1 day?? (0)

Anonymous Coward | more than 7 years ago | (#17554884)

Microsoft believes that responsible disclosure, which involves making sure that an update is available from software vendors the same day the vulnerability is first broadly known


It's not "fix in one day" but "don't tell anyone until we say so".

Not going to work (5, Interesting)

AngryDad (947591) | more than 7 years ago | (#17548560)

iDefense ask you to provide all your background information, names, addressess, telephones, photocopies of IDs, etc. Most people who can find vulnerabilities will not be willing to sacrifice their privacy. When iDefence and alike will only ask for e-mail address to paypal funds to, I'd be first in line to talk to them.

Re:Not going to work (3, Funny)

Zonnald (182951) | more than 7 years ago | (#17548720)

Dear Sir,

You have just won a new Boat!
Please come down to the stadium to pick it up.

Regards

Det. Sgt. Smith

Re:Not going to work (1)

dangitman (862676) | more than 7 years ago | (#17549082)

Ow! My boating arm!

Re:Not going to work (1)

Otter (3800) | more than 7 years ago | (#17548816)

When iDefence and alike will only ask for e-mail address to paypal funds to, I'd be first in line to talk to them.

Tell you what, Mr. Haxx0r -- you find a qualifying vulnerability, let me know, I'll give them my info and Paypal $7500K to you.

Re:Not going to work (0)

Anonymous Coward | more than 7 years ago | (#17549186)

Tell you what, Mr. Haxx0r -- you find a qualifying vulnerability, let me know, I'll give them my info and Paypal $7500K to you.


I bet the Russian Mob would sell you their secrets at that price.

Re:Not going to work (1)

FormOfActionBanana (966779) | more than 7 years ago | (#17549258)

where are you going to get the 7 million dollars?

Re:Not going to work (0)

Anonymous Coward | more than 7 years ago | (#17550936)

7.5, thank you very much!

Sounds like a low figure (2, Insightful)

Hyram Graff (962405) | more than 7 years ago | (#17548564)

$8000 might sound like a lot until you compare it to the stories we see of vulnerabilities being sold for $50,000 on underground sites. Why should I sell my findings to them for a much smaller amount?

Re:Sounds like a low figure (2, Insightful)

w33t (978574) | more than 7 years ago | (#17548830)

Why should I sell my findings to them for a much smaller amount?

If you can help someone and get payed 8 dollars, or hurt someone and get 50 dollars, what would you do?

I think it's good that there is any compensation at all for white hats who would otherwise recieve no compensation at all for doing the least harmful thing. It would be nice if the rewards for help were on par with harm, but helping is reward in itself for some - and a bit extra reward helps the motivation.

Re:Sounds like a low figure (0)

Anonymous Coward | more than 7 years ago | (#17549040)

Id hurt some for 8 dollars if I only got 50 for helping someone ^^

Or sell to both (1)

Anonymous Coward | more than 7 years ago | (#17549078)

Or sell it for $50,000 and then resell it again for $8000 + extra $4000 bonus. Not only will you be "helping", you'll also be screwing those adware vendors out of $50,000.

Cheap testing for MS (1)

EmbeddedJanitor (597831) | more than 7 years ago | (#17549954)

Even if MS was behind this it would make sense...

Determened, motivated hackers will do better testing than internal testers and cost less too! For each $8k prize issued there'd probably be a few hundred people each spending many hours. Cheap, very cheap!

Re:Sounds like a low figure (2, Insightful)

Onymous Coward (97719) | more than 7 years ago | (#17553286)

Exactly.

Perhaps eBay is the appropriate way to monetize on this kind of research.

I'm joking. Quit agreeing.

Re:Sounds like a low figure (1)

eneville (745111) | more than 7 years ago | (#17554744)

$8000 might sound like a lot until you compare it to the stories we see of vulnerabilities being sold for $50,000 on underground sites. Why should I sell my findings to them for a much smaller amount?

USD 8000 a lot? multiply that by the past exploits of a new code base such as win9x.. verisign shares much bump a lot....

Russian Hackers (0, Redundant)

feld (980784) | more than 7 years ago | (#17548566)

In Soviet Russia, vulnerability finds YOU! Seriously though, do you think those underground Russian hackers will haggle with VeriSign? They were selling for a lot more than $8,000!

Probably not even all that much money (1)

Sciros (986030) | more than 7 years ago | (#17548570)

$8000 for a bug report seems like a lot but I wonder if Microsoft's QA folks don't end up earning at least as much for any serious bugs they manage to uncover towards the end of development (salary:bugs ratio, that is). And at this point, it should take a very serious amount of effort to uncover a big vulnerability (well, hopefully), perhaps such that $8000 isn't even worth the time for some.

By the way it would not be that great of an idea for MS employees to go around submitting bugs to VeriSign, particularly if they get published and traced back to some feature those employees were working on ;-) So, yeah haha big plot by Microsoft to get billions from VeriSign, but not really. The only people that will profit from this IMO are poor computer hackers or IT folks who somehow happened to be using a buggy feature in Vista during work and noticed it.

Re:Probably not even all that much money (1)

IngramJames (205147) | more than 7 years ago | (#17548916)

$8000 for a bug report seems like a lot but I wonder if Microsoft's QA folks don't end up earning at least as much for any serious bugs they manage to uncover towards the end of development (salary:bugs ratio, that is). And at this point, it should take a very serious amount of effort to uncover a big vulnerability (well, hopefully), perhaps such that $8000 isn't even worth the time for some.

I think that there WILL be a very serious amount of effort devoted to finding the vulns, actually. A HUGE effort. IANAMT (I am not a Microsoft Tester).. but the vulnerability flaws will always be there in any complex product. On the one hand, you have a finite number of MS coders (and there are always those late, late nights) and MS testers, and on the other hand you have a finite (but much larger) number of l33t l33t skr1pt k1dd13s L0L pwnd, who are all running vuln tests against every conceivable part of the software. That's like a huge distributed network of testers; something that not even MS can afford to do. And these kiddies do it for fun! And profit!

I'm sure that MS have covered their bases much better than in the past. But even if you got the ten best white-hats in for a year (10 man years), you've still got several thousands boy-years of crackers out there, waiting in the wings. One or two will get lucky.

I, for one, welcome our new Verisign overlords.

Re:Probably not even all that much money (0)

Anonymous Coward | more than 7 years ago | (#17549864)

but the vulnerability flaws will always be there in any complex product

No, that's not true if you use Linux or OS X. At least, that's what I read on Slashdot.

You read it wrong (0)

Anonymous Coward | more than 7 years ago | (#17553716)

but the vulnerability flaws will always be there in any complex product
No, that's not true if you use Linux or OS X. At least, that's what I read on Slashdot.
It's not true if you use BSD.

NOT the best business move! (5, Funny)

Arthur Dent '99 (226844) | more than 7 years ago | (#17548594)

Paying $8000 for each exploitable security flaw in Microsoft products is a quick way to put a company into bankruptcy! I noticed that the bounty only applies to the first six submissions, though, so VeriSign is only out $48000.

Who else here thinks that VeriSign will then turn around and sell the winning entries to the black market for $50000 each? hehe

Re:NOT the best business move! (1)

Hotawa Hawk-eye (976755) | more than 7 years ago | (#17549894)

I think VeriSign will turn around and offer those six submittors jobs testing VeriSign products (or testing Windows after making a deal with Microsoft to sell them knowledge of vulnerabilities) or will contact Microsoft HR and ask how much the finder's fee is.

The law on unintended consequences (4, Funny)

andersen (10283) | more than 7 years ago | (#17548636)

Pointy Haired Boss: Our goal is to write bug-free software. I'll pay a ten dollar bonus for every bug you find and fix.
Dilbert: Yahoo!
Alice: We're rich
Wally: Yes!!! Yes!!! Yes!!!
Pointy Haired Boss: I hope this drives the right behavior.
Wally: I'm gonna write me a new minivan this afternoon!

http://www.ourlocalstyle.com/images/uploadImages/2 006/05/13/dilbert_bugFixMinivan.gif [ourlocalstyle.com]

That'll be interesting (1)

QueePWNzor (1044224) | more than 7 years ago | (#17548678)

Considering that over half the world will be using those soon, and knowing MS, let's hope that: a. Normal users are too stupid to figure out the bugs that destroy their comps, b.VeriSign is very, very, rich, and c. We remember this opportunity, because if you're reading Slashdot, you should be able to detect and report all flaws you come about (in Vista, 500,000,000 per second.) Don't be lazy!

Actually, be lazy. I want to cash in.

Oh, please (2, Insightful)

lawrenlives (991376) | more than 7 years ago | (#17548872)

I'd like to think not everyone involved in the "field" is a scumbag criminal in cahoots with the Russian mafia. Go ahead, prove me wrong! Despite the seemingly faceless nature of corporations, it's always human beings like you and me that get screwed in the end.

right, not all are Russian mafia (2, Funny)

r00t (33219) | more than 7 years ago | (#17551448)

Some are working with the Russian military.

Why is Verisign doing this? (1)

SeaFox (739806) | more than 7 years ago | (#17548890)

I think Microsoft should be the one who has to pay for the venerabilities. Maybe then they will have a little bit more of an incentive to produce secure code. The usual market force for this sort of thing (customers will drop the vendor for one who supplies the more secure solution) does not apply when you have a monopoly.

Re:Why is Verisign doing this? (1)

Josef Meixner (1020161) | more than 7 years ago | (#17554284)

Ah, you don't know iDefense Business model, I see. They have paying customers which get the vulnerability descriptions and exploits first, while the contacted company tries to fix the flaw. After some time it is released to the public. So they directly earn money from those flaws and so have an interest to get flaws made available to them exclusively. They aren't the only ones doing business like that.

Re:Why is Verisign doing this? (1)

somersault (912633) | more than 7 years ago | (#17554706)

Ahem... [google.co.uk] Meh, I guess that works too.

So Now I Can Legally Attempt To Compromise M$ ?? (3, Funny)

TastyWheat (302413) | more than 7 years ago | (#17548896)

And get paid for it??

Hax0r1ng is getting better all the time!
And they said we were just a bunch of internet hooligans.

muahahhaha

Re:So Now I Can Legally Attempt To Compromise M$ ? (0, Offtopic)

mackyrae (999347) | more than 7 years ago | (#17552692)

That's been going on for years. There used to be companies offering $10,000 per exploit, so you spend a month furiously finding them, sell them 10-20 bugs, and you're set for the year. Apparently my boyfriend decided to support himself that way for a while O_o

Chump Change (1)

pestilence669 (823950) | more than 7 years ago | (#17549016)

Don't they know how much money you can make blasting Cialis advertisements on random people's computers? AdWare is much more lucrative. They need to step that bounty up. Remote execution exploits for Windows are like virtual gold.

Why only Microsoft product flaws? (0)

Anonymous Coward | more than 7 years ago | (#17549018)

Why not do this for all major software? If MS code is so much buggier than the rest then offering bounties on other code shouldn't cost a lot more than, and we'd see fewer bugs all round.

Legal? (1)

nurb432 (527695) | more than 7 years ago | (#17549100)

Is it even legal to look for possible holes anymore?

With all the legal issues and suits flying around, id be sort of afraid to admit i knew something.

that is what I was wondering (1)

zogger (617870) | more than 7 years ago | (#17552522)

If it is legal to do this, why not just legally auction it then? You'll get the best price and can set a minimum bid.

If it is illegal, wouldn't verisign be in a bit of a bother now offering to purchase such a thing?

how much more (0, Redundant)

koan (80826) | more than 7 years ago | (#17549138)

Would you get selling the exploit to some nefarious hoodwinks?
30K?
50k?

Greedo shot first (1)

dangitman (862676) | more than 7 years ago | (#17549144)

A: "I'm a bug hunter"

B: "You exterminate insects, then?"

A: "Sort of. It involves looking in lots of holes. That's all I can say right now. I'm late for a meeting with Jabba."

Pfft (2, Insightful)

Tom (822) | more than 7 years ago | (#17549796)

What a cheap publicity stunt.

A 0day of this kind is worth at least twice that on the black market, mostly to the botnet creators who are the base of all the spam we get.

Re:Pfft (0)

Anonymous Coward | more than 7 years ago | (#17550528)

Agreed, organized crime is heavily into exploits since it is a primary tool for internet marketing and other mischief. There is big money in this marketing/crime. The zombie botnets set up around the world are used to spam and carry out denial of service attacks - often used to blackmail sites out of small fortunes. Even the largest ISPs can barely keep up with the constantly changing botnets, and almost all of them exist thanks to Windows exploits.

Re:Pfft (1)

danzona (779560) | more than 7 years ago | (#17557948)

A 0day of this kind is worth at least twice that on the black market, mostly to the botnet creators who are the base of all the spam we get

There have been a few posts of this nature in this discussion.

You seem to be saying that if someone finds an exploit they have the following choices:
(a) Turn in the exploit to the good guys for $10,000
(b) Sell the exploit to the bad guys for $20,000 and know that they will be contributing to human misery

I can't be the only person who would select the first option.

Now if it was $10,000 vs $20,000,000...

I assume the $8000 is... (1)

JourneyExpertApe (906162) | more than 7 years ago | (#17550384)

...to offset the winner's legal expenses. Do you get an additional prize if you are actually convicted?

In other news... (2, Funny)

MattPat (852615) | more than 7 years ago | (#17551062)

...both Apple and Cisco are suing VeriSign for the use of iDefense in the name of their labs. Apple claims that it dilutes their brand identity, and Cisco claims that they've been selling "defense" hardware with the "i" trademark for years!

YUO FAIL IT (-1, Flamebait)

Anonymous Coward | more than 7 years ago | (#17552730)

survive at all worthwhile. So I progress. In 1992, practical purposes FreeBSD at about 80 going to continuie,

They should have used the money elsewhere.. (1)

Madsy (1049678) | more than 7 years ago | (#17553504)

..like for instance as a bribe to the ad-ware industry. It could seize development of ad-ware for hours, if not days!

Microsoft (1)

endianx (1006895) | more than 7 years ago | (#17555994)

Why is a 3rd party doing this, instead of Microsoft? If they have such confidence in the security of their new software, I would think they would be open to such a thing. Seems like a win/win to me. Either they get big media attention for having secure software, or they get attention for having bugs, but they were fixed, and it looks like Microsoft was actually doing something to make that happen.

Dear Verisign, (1)

muckdog (607284) | more than 7 years ago | (#17557244)

Attached is working exploits for 832 different new vulnerabilities in Microsoft Vista and IE7. Please send me my check for $8,320,000. Sincerely, Bob Smith Sr. Software Engineer bsmith@microsoft.com

Not a security flaw, but a real IE7 WTF (1)

jo42 (227475) | more than 7 years ago | (#17561846)

URLs of the format:

ftp://account:password@ftp.example.com
no longer appear to work in IE7. Fargh!
Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?
or Connect with...

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>