How much for your unknown critical MS exploit?
We often talk about how much exploits really go for on the market; here is another data point for this topic.
“For the current quarter, iDefense Labs will pay $10,000 for each vulnerability submission that results in the publication of a Microsoft Security Bulletin with a severity rating of critical. In order to qualify, the submission must be received by midnight EST on March 31, 2006. The $10,000 prizes will be paid out following the publication of the Microsoft Security Bulletin and will be paid in addition to any amount paid for the vulnerability when it is initially accepted.”
Wouldn’t that suck if MS decided it was really an ‘Important’ severity (i.e. not ‘Critical’) and you lose. That could easily happen given MS’s definition of ‘Important’:
“A vulnerability whose exploitation could result in compromise of the confidentiality, integrity, or availability of users data, or of the integrity or availability of processing resources.”
Anyway, I can’t see too many holders of a valuable 0day MS exploit selling it for that price, especially if they must relegate to MS on what severity they think it is.
