Bounties Offered For Microsoft And Adobe Exploits

ExploitHub, which operates a penetration-testing site and is run by NSS Labs, announced a bug-bounty programme for researchers to develop exploits for 12 high-value vulnerabilities in Microsoft and Adobe products.

The penetration-testing site identified a “dirty dozen” of client-side vulnerabilities in Microsoft Internet Explorer and Adobe Flash Player and offered a total of $4,400 (£2,855) for working exploits, ExploitHub said. Participating researchers will submit exploits through the site for individual rewards, ranging from $100 (£65) to $500 (£325). Researchers also retain rights to sell the exploits within the marketplace to earn additional income.

Specific Vulnerabilities

Affecting typical enterprise networks, the bugs are not zero-days and have been previously disclosed. The exploits must be client-side remote exploits that would result in remote code execution, and must be for the following vulnerabilities, as identified by their Common Vulnerabilities and Exposures (CVE-2011) numbers: 0035, 0038, 0094, 0628, 1256, 1261, 1262, 1963, 1964,  1266, 2110, and 3346.

“Client-side exploits are the weapons of choice for modern attacks, including spear-phishing and so-called APTs [advanced persistent threats]. Security professionals need to catch up,” said NSS Labs CEO Rick Moy. “This programme is designed to accelerate the development of testing tools as well as help researchers do well by doing good.”

Exploits resulting in denial of service will not qualify under the programme and also cannot already be available in Metasploit or other exploit toolkits, according to the programme rules.

Bounties remain controversial among software vendors. Mozilla and Google regularly pay researchers for disclosing vulnerabilities in their products.

In fact, Google’s latest update for its Chrome Web browser included seven “high-risk” security vulnerabilities that exposed Windows, Mac OS X and Linux users to malicious attacks. Google paid researchers $10,000 (£6,500) for five of those bugs, with bounties ranging from $1,000 ($650) for a text-handling issue to $4,500 (£2,920) for a user-after-free flaw. Researcher Sergey Glazunov made $8,000 (£5,192) on this Chrome update alone.

Mozilla has paid out $104,000 (£67,493) in rewards since launching the Web bounty programme in December 2010, Michael Coates, senior manager of infrastructure security at Mozilla, said in a talk at OWASP AppSec USA conference on 23 September. Mozilla pays researchers to disclose issues in the Firefox browser and for a subset of its Web properties. Of the 175 bugs submitted to Mozilla since the launch of the programme, only 64 percent have actually qualified for rewards, according to the slides from the OWASP presentation posted online by Coates on 27 September.

Researchers are offered up to $3,000 for a bug, based on severity. Additionally, 60 percent of the bugs have been cross-site scripting flaws and 10 percent are cross-site request forgery. Nearly 75 percent of the money paid went to high-priority bugs worth $3,000.

Bounty Barred

On the other hand, Microsoft and Adobe have shied away from rewards programmes. Adobe does not believe that offering bug bounties would really help the company protect its customers, Brad Arkin, Adobe’s senior director of product security and privacy, told eWEEK. Instead, Adobe establishes relationships to bring researchers in as contractors to test and find vulnerabilities. This way, the company can give the researchers access to proper tools and an environment in which to work, Arkin said.

Instead of a programme rewarding researchers for finding vulnerabilities, Microsoft launched a “Blue Hat” competition at this year’s Black Hat security conference to encourage researchers to develop mitigation technologies to prevent attackers from exploiting memory vulnerabilities. The company will announce the winners and award $250,000 in cash prizes at Black Hat 2012.

Arkin said he was interested in seeing how Blue Hat plays out to determine whether that kind of a model could be adopted for Adobe.