ExploitHub, which operates a penetration-testing site and is run by NSS Labs, announced a bug-bounty program for researchers to develop exploits for 12 high-value vulnerabilities in Microsoft and Adobe products.
The penetration-testing site identified a “dirty dozen” of client-side vulnerabilities in Microsoft Internet Explorer and Adobe Flash Player and offered a total of $4,400 for working exploits, ExploitHub said in its Oct. 5 announcement. Participating researchers will submit exploits through the site for individual rewards, ranging from $100 to $500. Researchers also retain rights to sell the exploits within the marketplace to earn additional income.
Affecting typical enterprise networks, the bugs are not zero-days and have been previously disclosed. The exploits must be client-side remote exploits that would result in remote code execution, and must be for the following vulnerabilities, as identified by their Common Vulnerabilities and Exposures (CVE) numbers: CVE-2011-1256, CVE-2011-1266, CVE-2011-1261, CVE-2011-1262, CVE-2011-1963, CVE-2011-1964, CVE-2011-0094, CVE-2011-0038, CVE-2011-0035, CVE-2010-3346, CVE-2011-2110 and CVE-2011-0628.
“Client-side exploits are the weapons of choice for modern attacks, including spear-phishing and so-called APTs [advanced persistent threats]. Security professionals need to catch up,” said Rick Moy, NSS Labs CEO. “This program is designed to accelerate the development of testing tools as well as help researchers do well by doing good.”
Exploits resulting in denial of service will not qualify under the program and also cannot already be available in Metasploit or other exploit toolkits, according to the program rules.
Bounties remain controversial among software vendors. Mozilla and Google regularly pay researchers for disclosing vulnerabilities in their products.
In fact, Google’s latest update for its Chrome Web browser included seven “high-risk” security vulnerabilities that exposed Windows, Mac OS X and Linux users to malicious attacks. Google paid researchers $10,000 for five of those bugs, with bounties ranging from $1,000 for a text-handling issue to $4,500 for a user-after-free flaw. Researcher Sergey Glazunov made $8,000 on this Chrome update alone.
Mozilla has paid out $104,000 in rewards since launching the Web bounty program in December 2010, Michael Coates, senior manager of infrastructure security at Mozilla, said in a talk at OWASP AppSec USA conference Sept. 23. Mozilla pays researchers to disclose issues in the Firefox browser and for a subset of its Web properties. Of the 175 bugs submitted to Mozilla since the launch of the program, only 64 percent have actually qualified for rewards, according to the slides from the OWASP presentation posted online by Coates on Sept. 27.
Researchers are offered up to $3,000 for a bug, based on severity. Additionally, 60 percent of the bugs have been cross-site scripting flaws and 10 percent are cross-site request forgery. Nearly 75 percent of the money paid went to high-priority bugs worth $3,000.
On the other hand, Microsoft and Adobe have shied away from rewards programs. Adobe does not believe that offering bug bounties would really help the company protect its customers, Brad Arkin, Adobe’s senior director of product security and privacy, told eWEEK. Instead, Adobe establishes relationships to bring researchers in as contractors to test and find vulnerabilities. This way, the company can give the researchers access to proper tools and an environment in which to work, Arkin said.
Instead of a program rewarding researchers for finding vulnerabilities, Microsoft launched a “Blue Hat” competition at this year’s Black Hat security conference to encourage researchers to develop mitigation technologies to prevent attackers from exploiting memory vulnerabilities. The company will announce the winners and award $250,000 in cash prizes at Black Hat 2012.
Arkin said he was interested in seeing how Blue Hat plays out to determine whether that kind of a model could be adopted for Adobe.