Close
  • Latest News
  • Artificial Intelligence
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Logo
  • Latest News
  • Artificial Intelligence
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Applications
    • Applications
    • Cloud
    • Cybersecurity
    • Development

    Researchers Offer Bounties for Exploits Targeting Microsoft, Adobe Bugs

    By
    Fahmida Y. Rashid
    -
    October 5, 2011
    Share
    Facebook
    Twitter
    Linkedin

      ExploitHub, which operates a penetration-testing site and is run by NSS Labs, announced a bug-bounty program for researchers to develop exploits for 12 high-value vulnerabilities in Microsoft and Adobe products.

      The penetration-testing site identified a “dirty dozen” of client-side vulnerabilities in Microsoft Internet Explorer and Adobe Flash Player and offered a total of $4,400 for working exploits, ExploitHub said in its Oct. 5 announcement. Participating researchers will submit exploits through the site for individual rewards, ranging from $100 to $500. Researchers also retain rights to sell the exploits within the marketplace to earn additional income.

      Affecting typical enterprise networks, the bugs are not zero-days and have been previously disclosed. The exploits must be client-side remote exploits that would result in remote code execution, and must be for the following vulnerabilities, as identified by their Common Vulnerabilities and Exposures (CVE) numbers: CVE-2011-1256, CVE-2011-1266, CVE-2011-1261, CVE-2011-1262, CVE-2011-1963, CVE-2011-1964, CVE-2011-0094, CVE-2011-0038, CVE-2011-0035, CVE-2010-3346, CVE-2011-2110 and CVE-2011-0628.

      “Client-side exploits are the weapons of choice for modern attacks, including spear-phishing and so-called APTs [advanced persistent threats]. Security professionals need to catch up,” said Rick Moy, NSS Labs CEO. “This program is designed to accelerate the development of testing tools as well as help researchers do well by doing good.”

      Exploits resulting in denial of service will not qualify under the program and also cannot already be available in Metasploit or other exploit toolkits, according to the program rules.

      Bounties remain controversial among software vendors. Mozilla and Google regularly pay researchers for disclosing vulnerabilities in their products.

      In fact, Google’s latest update for its Chrome Web browser included seven “high-risk” security vulnerabilities that exposed Windows, Mac OS X and Linux users to malicious attacks. Google paid researchers $10,000 for five of those bugs, with bounties ranging from $1,000 for a text-handling issue to $4,500 for a user-after-free flaw. Researcher Sergey Glazunov made $8,000 on this Chrome update alone.

      Mozilla has paid out $104,000 in rewards since launching the Web bounty program in December 2010, Michael Coates, senior manager of infrastructure security at Mozilla, said in a talk at OWASP AppSec USA conference Sept. 23. Mozilla pays researchers to disclose issues in the Firefox browser and for a subset of its Web properties. Of the 175 bugs submitted to Mozilla since the launch of the program, only 64 percent have actually qualified for rewards, according to the slides from the OWASP presentation posted online by Coates on Sept. 27.

      Researchers are offered up to $3,000 for a bug, based on severity. Additionally, 60 percent of the bugs have been cross-site scripting flaws and 10 percent are cross-site request forgery. Nearly 75 percent of the money paid went to high-priority bugs worth $3,000.

      On the other hand, Microsoft and Adobe have shied away from rewards programs. Adobe does not believe that offering bug bounties would really help the company protect its customers, Brad Arkin, Adobe’s senior director of product security and privacy, told eWEEK. Instead, Adobe establishes relationships to bring researchers in as contractors to test and find vulnerabilities. This way, the company can give the researchers access to proper tools and an environment in which to work, Arkin said.

      Instead of a program rewarding researchers for finding vulnerabilities, Microsoft launched a “Blue Hat” competition at this year’s Black Hat security conference to encourage researchers to develop mitigation technologies to prevent attackers from exploiting memory vulnerabilities. The company will announce the winners and award $250,000 in cash prizes at Black Hat 2012.

      Arkin said he was interested in seeing how Blue Hat plays out to determine whether that kind of a model could be adopted for Adobe.

      Fahmida Y. Rashid
      Get the Free Newsletter!
      Subscribe to Daily Tech Insider for top news, trends & analysis
      This email address is invalid.
      Get the Free Newsletter!
      Subscribe to Daily Tech Insider for top news, trends & analysis
      This email address is invalid.

      MOST POPULAR ARTICLES

      Latest News

      Zeus Kerravala on Networking: Multicloud, 5G, and...

      James Maguire - December 16, 2022 0
      I spoke with Zeus Kerravala, industry analyst at ZK Research, about the rapid changes in enterprise networking, as tech advances and digital transformation prompt...
      Read more
      Applications

      Datadog President Amit Agarwal on Trends in...

      James Maguire - November 11, 2022 0
      I spoke with Amit Agarwal, President of Datadog, about infrastructure observability, from current trends to key challenges to the future of this rapidly growing...
      Read more
      IT Management

      Intuit’s Nhung Ho on AI for the...

      James Maguire - May 13, 2022 0
      I spoke with Nhung Ho, Vice President of AI at Intuit, about adoption of AI in the small and medium-sized business market, and how...
      Read more
      Applications

      Kyndryl’s Nicolas Sekkaki on Handling AI and...

      James Maguire - November 9, 2022 0
      I spoke with Nicolas Sekkaki, Group Practice Leader for Applications, Data and AI at Kyndryl, about how companies can boost both their AI and...
      Read more
      Cloud

      IGEL CEO Jed Ayres on Edge and...

      James Maguire - June 14, 2022 0
      I spoke with Jed Ayres, CEO of IGEL, about the endpoint sector, and an open source OS for the cloud; we also spoke about...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2022 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×