Metasploit declared $5,000.00, in 5 weeks for exploits Bug Bounty program

If you've got a way to crack Google Chrome, the Metasploit team wants to pay you for it. Today Rapid 7 announced that it has a total of $5000 in cash to reward to contributors who send in exploits for its Top 5 or Top 25 vulnerability lists. The exploits have to be submitted, and accepted, as modules under its standard Metasploit Framework license. 
Cash for bugs is a controversial but common way for security firms to encourage hackers to send exploits to the white hats. As far as Bug Bounty programs go, Metasploit's program is meager. But for an open source program that relies on contributions sent in for free, it's an interesting experiment. The program will end quickly, lasting only five weeks (July 20). One fun thing that the team is doing is letting people stake a claim to their exploit of choice from their Top 5 (prize is $500) or Top 25 (prize is $100) lists. After claiming an exploit, hackers get a week to submit their Metasploit module for their chosen bug. The prize money will "only be paid out to the first module contributor for a given vulnerability," the Metasploit team says.
And guess what? Denial of Service exploits won't qualify. Metasploit wants your bug to be able to do more than that. It should also bypass ASLR/DEP when applicable and be geared toward English-based targets. Metasploit wants hackers to follow its hacking guidelines and they cannot be residents of a US embargoed country.
All accepted submissions will not only win a bit of cash but their submissions will be made available to other Metasploit users, again under the Metasploit Framework license (3-clause BSD).
As I look at the list of 30 possible exploits while writing this blog post, I see that only two have been claimed so far. CVE/ZDI 2011-1218, Lotus Notes - Autonomy Keyview(.zip attachment), and an exploit not listed in the CVE database, known as " DATAC RealWin On_FC_CONNECT_FCS_LOGIN packet containing a long username." So plenty of room for participants remains.
The cash-for-bugs program is interesting, but the list of vulnerabilities for which Metasploit is seeking help is even more so.

The Top 5 are for specific holes in ...
  1. Google Chrome (before 11.0.696.71)
  2. Lotus Note
  3. IBM Tivoli Directory Server
  4. DNS
  5. GDI
In the Top 25, the entries on the list that caught my eye include holes in JScript, VBScript Scripting Engines, JBOS, Oracle VM and Citrix, among others. (Yes, browsers are in there, too, including Firefox, Chrome and Opera).
Of course, if you do have a killer bug, particularly for some of the browsers like Firefox or Chrome you can perhaps earn more than $100 for it. Mozilla's Bug Bounty program pays up to $3000 cash reward and you get a Mozilla T-shirt. For web applications or services related security bugs, Mozilla pays from $500 to $3,000. In January, Google plunked out what was then a record reward, $3,133, to a hacker for reporting a flaw Chrome. (Google raised its bug bounty fee about a year ago, from $1,337 after Mozilla bumped up its reward rate to $3,000).
TippingPoint, known as one of the founders of the bug bounty concept, not only pays cash (as much as $5,000 for your zero-day), but it also awards bonus points in a scheme more complicated than an airline mileage rewards program. Participants earn points for referring others into the program, for each zero-day they submit and so on. These points gain you bonuses for your hacks, and other goodies like all-expense-paid trips to hacker conferences like Black Hat.
Who knew hacking could be so rewarding?


Voice Of GREYHAT is a non-profit Organization propagating news specifically related with Cyber security threats, Hacking threads and issues from all over the spectrum. The news provided by us on this site is gathered from various Re-Sources. if any person have some FAQ's in their mind they can Contact Us. Also you can read our Privacy Policy for more info. Thank You ! -Team VOGH
If you enjoyed VOGH News, Articles Then Do Make sure you to Subscribe Our RSS feed. Stay Tuned with VOGH and get Updated about Cyber Security News, Hacking Threads and Lots More. All our Articles and Updates will directly be sent to Your Inbox. Thank You! -Team VOGH



Post a Comment

Related Posts Plugin for WordPress, Blogger...