<br>All people black hat, I agree with you KF I Defense low pay s0x! <br><br>- mark <br><br><br><br><br><br><div><span class="gmail_quote">On 16/01/07, <b class="gmail_sendername"><a href="mailto:ad@heapoverflow.com">ad@heapoverflow.com
</a></b> <<a href="mailto:mr.dovi@gmail.com">mr.dovi@gmail.com</a>> wrote:</span><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">I agree with you KF , that's why I do not recommand iDEFENSE in my
<br>forum's footer since some times now.<br>They are just playing on the fact they are alone , or they were alone<br>for a long time on this market, and they do<br>not wish to do any effort, making loads of dollars with us , to say
<br>clean , they sucks.<br><br>AD<br><br>K F (lists) wrote:<br>> No offense to iDefense as I have used their services in the past... but<br>> MY Q1 2007 Challenge to YOU is to start offering your researchers more<br>
> money in general! I've sold remotely exploitable bugs in random 3rd<br>> party products for more $$ than you are offering for these Vista items<br>> (see the h0n0 #3). I really think you guys are devaluing the exploit
<br>> market with your low offers... I've had folks mail me like WOW iDefense<br>> offered me $800 for this remote exploit. Pfffttt not quite.<br>><br>> We all know black hats are selling these sploits for <=$25k so why
<br>> should the legit folks settle for anything less? As an example the guys<br>> at MOAB kicked around selling a Quicktime bug to iDefense but in the end<br>> we decided it was not worth it due to low pay...<br>
><br>> Low Pay == Not getting disclosed via iDefense....<br>><br>> -KF<br>><br>><br>><br>>> I know someone who will pay significantly more per vulnerability against the<br>>> same targets.
<br>>><br>>><br>>> On 1/10/07 12:27 PM, "contributor" <<a href="mailto:Contributor@idefense.com">Contributor@idefense.com</a>> wrote:<br>>><br>>><br>>><br>>>> -----BEGIN PGP SIGNED MESSAGE-----
<br>>>><br>>>><br>>> Hash: SHA1<br>>><br>>> Also available at:<br>>><br>>><br>>><br>>><br>>>> <a href="http://labs.idefense.com/vcp/challenge.php#more_q1+2007%3A+vulnerability+chall">
http://labs.idefense.com/vcp/challenge.php#more_q1+2007%3A+vulnerability+chall</a><br>>>> enge<br>>>><br>>>><br>>> *Challenge Focus: Remote Arbitrary Code Execution Vulnerabilities<br>>>
<br>>><br>>>> in<br>>>><br>>>><br>>> Vista & IE 7.0*<br>>><br>>> Both Microsoft Internet Explorer and Microsoft Windows<br>>><br>>><br>>>> dominate their
<br>>>><br>>>><br>>> respective markets, and it is not surprising that the decision<br>>><br>>><br>>>> to<br>>>><br>>>><br>>> update to the current release of Internet Explorer
7.0 and/or Windows<br>>> Vista<br>>><br>>><br>>>> is fraught with uncertainty. Primary in the minds of IT<br>>>><br>>>><br>>> security<br>>><br>>><br>>>> professionals is the question of vulnerabilities that may be
<br>>>><br>>>><br>>> present in these<br>>><br>>><br>>>> two groundbreaking products.<br>>>><br>>>><br>>> To help assuage this uncertainty, iDefense Labs
<br>>><br>>><br>>>> is pleased to announce<br>>>><br>>>><br>>> the Q1, 2007 quarterly challenge.<br>>><br>>> Remote Arbitrary<br>>><br>>><br>>>> Code Execution Vulnerabilities in Vista and IE
7.0<br>>>><br>>>><br>>> Vulnerability<br>>><br>>><br>>>> Challenge:<br>>>><br>>>><br>>> iDefense will pay $8,000 for each submitted vulnerability that<br>
>><br>>><br>>>> allows<br>>>><br>>>><br>>> an attacker to remotely exploit and execute arbitrary code on either<br>>> of<br>>><br>>><br>>>> these two products. Only the first submission for a given
<br>>>><br>>>><br>>> vulnerability will<br>>><br>>><br>>>> qualify for the award, and iDefense will award no<br>>>><br>>>><br>>> more than six payments of
<br>>><br>>><br>>>> $8000. If more than six submissions<br>>>><br>>>><br>>> qualify, the earliest six submissions<br>>><br>>><br>>>> (based on submission date and
<br>>>><br>>>><br>>> time) will receive the award. The iDefense Team<br>>><br>>><br>>>> at VeriSign will be<br>>>><br>>>><br>>> responsible for making the final determination of whether
<br>>><br>>><br>>>> or not a<br>>>><br>>>><br>>> submission qualifies for the award. The criteria for this phase<br>>><br>>><br>>>> of<br>>>><br>
>>><br>>> the challenge are:<br>>><br>>> I) Technologies Covered:<br>>> - - Microsoft Internet<br>>><br>>><br>>>> Explorer 7.0<br>>>><br>>>><br>>> - - Microsoft Windows Vista
<br>>><br>>> II) Vulnerability Challenge<br>>><br>>><br>>>> Ground Rules:<br>>>><br>>>><br>>> - - The vulnerability must be remotely exploitable and must<br>>>
<br>>><br>>>> allow<br>>>><br>>>><br>>> arbitrary code execution in a default installation of one of<br>>><br>>><br>>>> the<br>>>><br>>>><br>>> technologies listed above
<br>>> - - The vulnerability must exist in the<br>>><br>>><br>>>> latest version of the<br>>>><br>>>><br>>> affected technology with all available patches/upgrades<br>
>><br>>><br>>>> applied<br>>>><br>>>><br>>> - - 'RC' (Release candidate), 'Beta', 'Technology Preview'<br>>><br>>><br>>>> and<br>
>>><br>>>><br>>> similar versions of the listed technologies are not included in<br>>><br>>><br>>>> this<br>>>><br>>>><br>>> challenge<br>>> - - The vulnerability must be original and not previously
<br>>><br>>><br>>>> disclosed<br>>>><br>>>><br>>> either publicly or to the vendor by another party<br>>> - - The<br>>><br>>><br>>>> vulnerability cannot be caused by or require any additional
<br>>>><br>>>><br>>> third party<br>>><br>>><br>>>> software installed on the target system<br>>>><br>>>><br>>> - - The vulnerability must not<br>>>
<br>>><br>>>> require additional social engineering<br>>>><br>>>><br>>> beyond browsing a malicious<br>>><br>>><br>>>> site<br>>>><br>>>><br>>> Working Exploit Challenge:
<br>>> In addition to the $8000 award for the<br>>><br>>><br>>>> submitted vulnerability,<br>>>><br>>>><br>>> iDefense will pay from $2000 to $4000 for working<br>>>
<br>>><br>>>> exploit code that<br>>>><br>>>><br>>> exploits the submitted vulnerability. The arbitrary code<br>>><br>>><br>>>> execution<br>>>><br>>>>
<br>>> must be of an uploaded non-malicious payload. Submission of<br>>><br>>><br>>>> a<br>>>><br>>>><br>>> malicious payload is grounds for disqualification from this phase of
<br>>> the<br>>><br>>><br>>>> challenge.<br>>>><br>>>><br>>> I) Technologies Covered:<br>>> - - Microsoft Internet Explorer 7.0<br>>> -<br>>><br>>>
<br>>>> - Microsoft Windows Vista<br>>>><br>>>><br>>> II) Working Exploit Challenge Ground<br>>><br>>><br>>>> Rules:<br>>>><br>>>><br>>> Working exploit code must be for the submitted vulnerability only
<br>>><br>>><br>>>> <br>>>><br>>>><br>>> iDefense will not consider exploit code for existing vulnerabilities<br>>> or new<br>>><br>>><br>>>> vulnerabilities submitted by others. iDefense will consider
<br>>>><br>>>><br>>> one and only one<br>>><br>>><br>>>> working exploit for each original vulnerability<br>>>><br>>>><br>>> submitted.<br>>><br>>> The minimum award
<br>>><br>>><br>>>> for a working exploit is $2000. In addition to the<br>>>><br>>>><br>>> base award, additional<br>>><br>>><br>>>> amounts up to $4000 may be awarded based upon:
<br>>>><br>>>><br>>> - - Reliability of the<br>>><br>>><br>>>> exploit<br>>>><br>>>><br>>> - - Quality of the exploit code<br>>> - - Readability of the exploit
<br>>><br>>><br>>>> code<br>>>><br>>>><br>>> - - Documentation of the exploit code<br>>><br>>><br>>> -----BEGIN PGP<br>>><br>>><br>>>> SIGNATURE-----
<br>>>><br>>>><br>>> Version: GnuPG v1.4.3 (MingW32)<br>>> Comment: Using GnuPG with<br>>><br>>><br>>>> Mozilla - <a href="http://enigmail.mozdev.org">http://enigmail.mozdev.org
</a><br>>>><br>>>><br>>><br>>> iD8DBQFFpSHsYcX4JiqFDSgRAl+ZAJwMJaZoJ6zwd4m8qZfviOZnNNUVrACgpaTU<br>>> QkO9IXq+PsC6<br>>><br>>><br>>>> bMKg7j6Dwfw=<br>>>><br>
>>><br>>> =N0am<br>>> -----END PGP<br>>><br>>><br>>>> SIGNATURE-----<br>>>><br>>>><br>>> _______________________________________________<br>>> Full-Disclosur
<br>>><br>>><br>>>> e - We believe in it.<br>>>><br>>>><br>>> Charter:<br>>><br>>><br>>>> <a href="http://lists.grok.org.uk/full-disclosure-charter.html">http://lists.grok.org.uk/full-disclosure-charter.html
</a><br>>>><br>>>><br>>> Hosted and sponsored by<br>>><br>>><br>>>> Secunia - <a href="http://secunia.com/">http://secunia.com/</a><br>>>><br>>>><br>>> _______________________________________________
<br>>> Full-Disclosure - We believe in it.<br>>> Charter: <a href="http://lists.grok.org.uk/full-disclosure-charter.html">http://lists.grok.org.uk/full-disclosure-charter.html</a><br>>> Hosted and sponsored by Secunia -
<a href="http://secunia.com/">http://secunia.com/</a><br>>><br>>><br>>><br>><br>> _______________________________________________<br>> Full-Disclosure - We believe in it.<br>> Charter: <a href="http://lists.grok.org.uk/full-disclosure-charter.html">
http://lists.grok.org.uk/full-disclosure-charter.html</a><br>> Hosted and sponsored by Secunia - <a href="http://secunia.com/">http://secunia.com/</a><br>><br>><br>><br><br>_______________________________________________
<br>Full-Disclosure - We believe in it.<br>Charter: <a href="http://lists.grok.org.uk/full-disclosure-charter.html">http://lists.grok.org.uk/full-disclosure-charter.html</a><br>Hosted and sponsored by Secunia - <a href="http://secunia.com/">
http://secunia.com/</a><br></blockquote></div><br>