iDefense puts $16,000 bounty on critical infrastructure app flaws

Verisign's iDefense has put a $16,000 prize for any hacker who can find a remotely exploitable flaw in six core Internet infrastructure applications.

Verisign's iDefense is putting up a $16,000 prize for any hacker who can find a remotely exploitable zero-day flaw in six critical Internet infrastructure applications.

The flaw bounty is the largest ever offered by the company's VCP (Vulnerability Contributor Program), which buys the rights to vulnerability information from hackers and handles the disclosure process with affected vendors. (The VCP is a direct competitor to TippingPoint's Zero Day Initiative, the company that bought the CanSecWest MacBook hijack flaw).

In this latest quarterly challenge, iDefense is offering six bounties of $16,000 for details on a zero-day code execution hole on the following Internet infrastructure technologies:

  • Apache httpd
  • Berkeley Internet Name Domain (BIND) daemon
  • Sendmail SMTP daemon
  • OpenSSH sshd
  • Microsoft Internet Information (IIS) Server
  • Microsoft Exchange Server

Here are the ground rules:

  • The vulnerability must be remotely exploitable and must allow arbitrary code execution in a typical installation of one of the technologies listed above
  • The vulnerability must exist in the latest version of the affected technology with all available patches and/or upgrades applied
  • 'RC' (Release candidate), 'Beta', 'Technology Preview' and similar versions of the listed technologies are not included in this challenge
  • The vulnerability must be original and not previously disclosed to any party
  • The vulnerability cannot be caused by or require any additional third party software installed on the target system
  • The vulnerability must not require any social engineering

There are separate prizes -- between $2,000 and $8,000 -- for proof-of-concept exploit code attached to a flaw submission. The price for the exploit bounty will depend on the reliability/quality of the exploit code.

The challenge expires on September 30, 2007.

Although the $16,000 bounty is the largest ever offered publicly (the price tag on critical Vista, IE 7 holes was set at $8000), security researchers dismiss the iDefense offer as "insulting."

Immunity founder Dave Aitel, who also purchases flaws and exploits for use in the CANVAS pen testing tool, says its doubtful iDefense will get any submissions from hackers. "It's very hard to exploit [those listed applications]," Aitel said. "IIS 6 hasn't had a public remotely exploitable bug in it. Ever."

Several other hackers I spoke to had very much the same message, arguing that $16,000 can never equate to the amount of work/expertise required to find and exploit a hole in the six targeted technologies.

For example, since 2003, there have been only 4 remotely exploitable bugs found in Sendmail. All four were found by two hackers -- Mark Dowd and Michal Zalewski -- two of the most skilled researchers in the world.

"I think a remote in one of those should for closer to $100,000 at this point," said one researcher who closely follows the market for security vulnerabilities.