LEGITIMATE EXPLOIT MARKET Exploithub is offering $4,000 in bounties to people capable of producing attack code for twelve vulnerabilities in Microsoft's Internet Explorer and Adobe's Flash Player.
Exploithub is a one-of-a-kind system that pairs exploit writers with penetration testing companies in the search for new weapons to add to their arsenals.
It's a well known fact that writing reliable exploit code is significantly harder than finding security weaknesses. Leaving fuzzing programs to feed malformed input into applications for hours can generate hundreds of potentially exploitable crashes.
However, producing exploits that can leverage them to execute code, elevate privileges or do other unauthorized tasks is a painstaking job that requires a lot of skill and patience.
Large penetration testing companies hire their own resident exploit writers, but others have to use their testers for exploit development, so outsourcing this process is common to save man hours and resources.
The NSS Labs operated Exploithub was created to meet this demand. The company vets buyers and checks the submitted exploits for effectiveness, efficiency and reliability.
Unlike the underground exploit market, there are no zero-day exploits allowed as penetration testing is not about breaking into systems in ways that cannot be prevented. The purpose of such actions is to identify what could have been done to harden security but wasn't.
NSS Labs kicked off a new bounty system yesterday by offering cash for ten Internet Explorer exploits and two Flash Player exploits. If you're wondering why these products were selected, it's because they are typically found on enterprise networks.
The payouts are $200, $300 and $500, depending on vulnerability, and the bounty for one of the Flash exploits has already been paid. The Metasploit project held a similar programme earlier this year where it paid a total of $5,000 for attack code against 30 vulnerabilities.
"Client-side exploits are the weapons of choice for modern attacks, including spear phishing and so-called APTs [advanced persistent threats]. Security professionals need to catch up," said NSS Labs CEO Rick Moy. "This program is designed to accelerate the development of testing tools, as well as help researchers do well by doing good," he added. µ
They're kind of cute though
No code? No problem!
The wide world of whimsy from the Alphabet Castle