I just sent a remote heap overflow to IDefense

I’m curious if IDefense www.idefense.org pays more or less than Tipping point www.zerodayinitiative.com.

 I sent a local OpenBSD / FreeBSD kernel bug to ZDI, and they replied back saying they were only interested in remote vulnerabilities, and for the most part of that only bought pre-authentication bugs.

 Well, I found a reasonably significant heap overflow in some moderately popular opensource Unix software, which is aimed primarily for the server and partly the desktop market.  It’s not internet critical infrastructure or anything like OpenSSH or Apache, but it’s a reasonable bug none the less.  I suspect it could lead to arbitary code execution, though I haven’t attempted to write an exploit for proof of that.

 I sent the analysis and sample Denial of Service exploit to IDefense, last Friday (the 23rd).  I got a mail back today saying it has been assigned to a researcher for determination (if the bug is valid and if IDefense will offer to purchase the vulnerability).

 I hope I made the right decision to send to IDefense and not ZDI.  Does anyone have comments or ballpark figures of how much money each one pays?


2 responses to “I just sent a remote heap overflow to IDefense

  1. Expect 100-200

  2. iDefense offers lowest prices on the market. For vulnerabilities worth 3000 – 5000 USD for others (not counting black market), iDefense pay 800 USD. I don’t see any reasonable argument why one should sell to iDefense.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s