«
»

Less than zero-day

October 3rd, 2006 by cwalsh

[This was prepared the morning of October 1, but not posted because I expected more to come of the story rather quickly. It now appears that 1. is true.]
OK, so at Toorcon a couple of guys — one of whom works at SixApart — reported on a Firefox 0day.
These gents claim to have another 30 vulns that they are going to hold onto.
That’s interesting. Mozilla offers a $500 bug bounty. Therefore, I conclude that either:


  1. These guys do not have the 0days they claim to have, or

  2. They expect to get more than $500 for them elsewhere, or

  3. They dislike money


I find 3. hard to believe.

This entry was posted by cwalsh on Tuesday, October 3rd, 2006 at 6:06 pm and is filed under Security, conferences. You can follow any responses to this entry through the RSS 2.0 feed. Both comments and pings are currently closed.

3 Responses to “Less than zero-day”

  1. Mr. X says:
    October 3, 2006 at 8:19 pm

    Ok, third-hand information but…
    I heard from a friend of those individuals, and they say they were just joking. So, option 1.

  2. Chris says:
    October 3, 2006 at 8:26 pm

    Agreed, Mr. X. That’s what I was saying up top in the square brackets.

  3. Tyler Close says:
    October 5, 2006 at 2:28 pm

    I’ve submitted a security critical bug to Mozilla and filed for a bug bounty, but have not received one. Do they actually pay up? If my experience is typical, that would explain the reluctance/apathy towards submitting further bugs.