search the site

Tuesday, October 11, 2011

NSS Labs offers Bounties for exploits


ExploitHub, which operates a penetration-testing site and is run by NSS Labs, announced a bug-bounty program for researchers to develop exploits for 12 high-value vulnerabilities in Microsoft and Adobe products. The company, which has set aside $4,400 in reward money, plans to give $100 to $500 to the first people to submit a working exploit for the vulnerabilities. Ten of the vulnerabilities concern Microsoft's Internet Explorer browser and two were found in Adobe's Flash multimedia program.

Client-side exploits are the weapons of choice for modern attacks, including spear-phishing and so-called APTs [advanced persistent threats]. Security professionals need to catch up,” said Rick Moy, NSS Labs CEO. “This program is designed to accelerate the development of testing tools as well as help researchers do well by doing good.”

There is no time limit on entering a winning exploit; the first person who submits a working exploit receives the bounty. ExploitHub also allows authors of exploits to retain the rights to their code for future sales. Interested programmers can view the complete list of 12 requested vulnerabilities.

Those who write the winning exploits may then sell their code on ExploitHub, with NSS Labs taking a 30% commission. Penetration testers can also make requests via the marketplace for exploits for specific vulnerabilities. Those who want to buy exploits are vetted by NSS Labs to ensure the marketplace is not abused.ExploitHub also only sells exploits for vulnerabilities that have been patched and does not host ones for zero-day vulnerabilities.

No comments: