Close
  • Latest News
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Logo
  • Latest News
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Applications
    • Applications
    • Cloud
    • Cybersecurity
    • Development

    Researchers Offer Bounties for Exploits Targeting Microsoft, Adobe Bugs

    By
    Fahmida Y. Rashid
    -
    October 5, 2011
    Share
    Facebook
    Twitter
    Linkedin

      ExploitHub, which operates a penetration-testing site and is run by NSS Labs, announced a bug-bounty program for researchers to develop exploits for 12 high-value vulnerabilities in Microsoft and Adobe products.

      The penetration-testing site identified a “dirty dozen” of client-side vulnerabilities in Microsoft Internet Explorer and Adobe Flash Player and offered a total of $4,400 for working exploits, ExploitHub said in its Oct. 5 announcement. Participating researchers will submit exploits through the site for individual rewards, ranging from $100 to $500. Researchers also retain rights to sell the exploits within the marketplace to earn additional income.

      Affecting typical enterprise networks, the bugs are not zero-days and have been previously disclosed. The exploits must be client-side remote exploits that would result in remote code execution, and must be for the following vulnerabilities, as identified by their Common Vulnerabilities and Exposures (CVE) numbers: CVE-2011-1256, CVE-2011-1266, CVE-2011-1261, CVE-2011-1262, CVE-2011-1963, CVE-2011-1964, CVE-2011-0094, CVE-2011-0038, CVE-2011-0035, CVE-2010-3346, CVE-2011-2110 and CVE-2011-0628.

      “Client-side exploits are the weapons of choice for modern attacks, including spear-phishing and so-called APTs [advanced persistent threats]. Security professionals need to catch up,” said Rick Moy, NSS Labs CEO. “This program is designed to accelerate the development of testing tools as well as help researchers do well by doing good.”

      Exploits resulting in denial of service will not qualify under the program and also cannot already be available in Metasploit or other exploit toolkits, according to the program rules.

      Bounties remain controversial among software vendors. Mozilla and Google regularly pay researchers for disclosing vulnerabilities in their products.

      In fact, Google’s latest update for its Chrome Web browser included seven “high-risk” security vulnerabilities that exposed Windows, Mac OS X and Linux users to malicious attacks. Google paid researchers $10,000 for five of those bugs, with bounties ranging from $1,000 for a text-handling issue to $4,500 for a user-after-free flaw. Researcher Sergey Glazunov made $8,000 on this Chrome update alone.

      Mozilla has paid out $104,000 in rewards since launching the Web bounty program in December 2010, Michael Coates, senior manager of infrastructure security at Mozilla, said in a talk at OWASP AppSec USA conference Sept. 23. Mozilla pays researchers to disclose issues in the Firefox browser and for a subset of its Web properties. Of the 175 bugs submitted to Mozilla since the launch of the program, only 64 percent have actually qualified for rewards, according to the slides from the OWASP presentation posted online by Coates on Sept. 27.

      Researchers are offered up to $3,000 for a bug, based on severity. Additionally, 60 percent of the bugs have been cross-site scripting flaws and 10 percent are cross-site request forgery. Nearly 75 percent of the money paid went to high-priority bugs worth $3,000.

      On the other hand, Microsoft and Adobe have shied away from rewards programs. Adobe does not believe that offering bug bounties would really help the company protect its customers, Brad Arkin, Adobe’s senior director of product security and privacy, told eWEEK. Instead, Adobe establishes relationships to bring researchers in as contractors to test and find vulnerabilities. This way, the company can give the researchers access to proper tools and an environment in which to work, Arkin said.

      Instead of a program rewarding researchers for finding vulnerabilities, Microsoft launched a “Blue Hat” competition at this year’s Black Hat security conference to encourage researchers to develop mitigation technologies to prevent attackers from exploiting memory vulnerabilities. The company will announce the winners and award $250,000 in cash prizes at Black Hat 2012.

      Arkin said he was interested in seeing how Blue Hat plays out to determine whether that kind of a model could be adopted for Adobe.

      Fahmida Y. Rashid

      MOST POPULAR ARTICLES

      Big Data and Analytics

      Alteryx’s Suresh Vittal on the Democratization of...

      James Maguire - May 31, 2022 0
      I spoke with Suresh Vittal, Chief Product Officer at Alteryx, about the industry mega-shift toward making data analytics tools accessible to a company’s complete...
      Read more
      Cybersecurity

      Visa’s Michael Jabbara on Cybersecurity and Digital...

      James Maguire - May 17, 2022 0
      I spoke with Michael Jabbara, VP and Global Head of Fraud Services at Visa, about the cybersecurity technology used to ensure the safe transfer...
      Read more
      Applications

      Cisco’s Thimaya Subaiya on Customer Experience in...

      James Maguire - May 10, 2022 0
      I spoke with Thimaya Subaiya, SVP and GM of Global Customer Experience at Cisco, about the factors that create good customer experience – and...
      Read more
      Big Data and Analytics

      GoodData CEO Roman Stanek on Business Intelligence...

      James Maguire - May 4, 2022 0
      I spoke with Roman Stanek, CEO of GoodData, about business intelligence, data as a service, and the frustration that many executives have with data...
      Read more
      Cloud

      Yotascale CEO Asim Razzaq on Controlling Multicloud...

      James Maguire - May 5, 2022 0
      Asim Razzaq, CEO of Yotascale, provides guidance on understanding—and containing—the complex cost structure of multicloud computing. Among the topics we covered:  As you survey the...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2022 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×