I lied when I said I would write in a day the details of the ClamAV bug published by idefense last week.
ClamAV was acquired by Sourcefire, which is the software company that is responsible for the Snort IDS.
ClamAV code needs a fair amount of refactoring to be maintainable. The current sources are quite disturbing. I’m not suprised there have been a number of bugs posted against in the past 6 months. Mind you, the ClamAV website doesn’t seem to keep on its list of security advisories, all the advisories that have been posted against it.
ClamAV is being developed by Sourcefire, and are obviously working hard to get their acquirement (the source code) up to standards.
Tomorrow should be released an IDefense advisory of the vulnerability I submitted. I’ll make a posting tomorrow with more details of the bug.
I received an email from IDefense today. The email was an offer for the vulnerability I sent them a month or so ago. I was very happy to see the offer at $3000 US. This suprised me, as I was expecting an offer much lower. The vulnerability I sent them was not a code execution bug, and the previous vulnerability that they paid me for (which was code execution) resulted in an offer of $1500 US.
What happens now, is that I reply back to the email with a tagged subject line (including the word Accepted). They should then send me a contract (as a PDF). I will have to print out, sign, scan and then send back to IDefense.