Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Pen-Test
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Trend Micro's Vista "0day exploit auction" claim

from [Sels, Roger] Network Security [Permanent Link]
Subject: RE: Trend Micro's Vista "0day exploit auction" claim
Date: Tue, 19 Dec 2006 13:11:29 +0100 (CET) 
Chris,

Good points.
However how did you come to the ascertion that everyone is expecting lots
of exploits ? I for one didn't express this opinion.

Keeping Windows 2003 in mind (and how widely it's deployed, admittedly) we
could be in for a surprise with Vista. Maybe that's too optimistic ; only
time will tell.

Kr

Roger

On Wed, December 20, 2006 12:54 am, Chris Poulter wrote:

50k per vulnerability opposed to hundreds (unlikely) 60-100k/year
(unlikely) - the Q/A's might only get 40-50k/year, a security
vulnerability technician would be the one getting paid the big bucks,
but there wouldn't be "hundreds" of them? - how do you work that one out
to be more feasible?

Considering everyone is presuming there will be lots of exploits,
50k/exploit will equate to a much larger payout....

And exploit the exploiters? - how do you figure this one as well?
Someone getting paid 50k/exploit is far more beneficial to the
"exploiter" than getting nothing and just sharing the love....where MS
would lose out more if this happened and leave them more exposed...

I'm not arguing for either side of the case as I haven't looked into it
enough to make my own judgment, but I don't think your assessment is
accurate...

-----Original Message-----
From: listbounce@securityfocus.com [mailto:listbounce@securityfocus.com]
On Behalf Of Cody Tubbs
Sent: Wednesday, December 20, 2006 10:40 AM
To: Radu Oprisan
Cc: pen-test@securityfocus.com
Subject: Re: Trend Micro's Vista "0day exploit auction" claim

It's cheaper to pay kids 50k for actually finding flaws, rather than
paying hundreds of QA engineers 60-100k a pop to spend months finding
nothing.  Another reason M$ sucks, exploit the exploiters.

-Cody Tubbs

Radu Oprisan wrote:

Ryan Meyer wrote:


A number of popular tech news sources are reporting Trend Micro's

CTO,

Raimund Genes, publicly claiming that there are "auctions" for

zero-day

Windows Vista exploits. Further, he claims these auctions are

fetching

approx $50,000.

Could anyone verify Trend Micro's claim?





It seems dubious, at best, to me and possibly nothing more than pure

FUD.


Sorry to get off topic.

Ryan Meyer



This could also be some covert way for microsoft to find their own
vulnerabilities. That has happened before.









-- 
Life is 10 percent what you make it and 90 percent how you take it. -
Irving Berlin
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: Trend Micro's Vista "0day exploit auction" claim, Chris Poulter
Next by Date:  RE: Trend Micro's Vista "0day exploit auction" claim, Chris Poulter
Previous by Thread:  RE: Trend Micro's Vista "0day exploit auction" claim, Chris Poulter
Next by Thread:  RE: Trend Micro's Vista "0day exploit auction" claim, Chris Poulter
Indexes:  [Date] [Thread] [Top] [All Lists]