iDefense just announced a bounty of $16,000 for remotely exploitable zero-day flaw in Apache, BIND, Sendmail, OpenSSH. IIS, or Exchange. This comes on the heals of the $10,000 plus a MacBook recently awarded by CanSecWest for remotely exploiting an OSX laptop.
While there are similarities between the two offers (not to mention iDefense and others standing bounty programs) both of these challenges raise the bar for spl0its. While $10K isn’t exactly chump change it is definitely worth a few days of banging away to find a hole in a system. In the case of iDefense’s latest offer of $16K many researchers are claiming that it is just not enough to motivate them to invest the work required to find such a hole in the listed software packages.
For the vast majority of researchers I suspect that this is true. The people capable of finding these holes all have jobs that pay at least five times that much if not more and if they don’t they should. $16K to them is probably chump change, at least compared to the effort and work required to find a viable exploit in these very robust packagaes.
However, I suspect that there are smart people elsewhere in the world for which 16,000 United States dollars might actually mean something. People who might be willing to put in the long hours and hard work required to find such a hole. If such a hole is found the question then becomes if it is worth only $16K or can they make more from it elsewhere? Think about it. A remote code execution vulnerability found in Sendmail, Apache or OpenSSH, what could you do with such a hole if not tied down by morals and ethics? Would you sell it for a measly $16K?
But really, sploits for dollars? Is that really the type of security model we should be promoting? Unfortunately the days of finding holes for sheer thrill, the glory, and the girliez seem to be far behind us. Is finding holes for a bounty any different than finding them for a salary?
The bigger question of course is disclosure. How holes are found isn’t as big an issue as what happens after they are discovered. Should the hole be disclosed or kept secret. If it is to be disclosed should there be a delay until a patch is available or announce immediately and leave unknowing people vulnerable? Should all holes even be patched?
Sploits for dollars. Maybe a new reality TV sports show?