ExploitHub, the marketplace for penetration testers, is issuing a bounty for exploits developed against 12 high-value vulnerabilities (CVEs). Security researchers who submit working exploits against these CVEs can earn up to $4,400.
In addition, they retain rights to sell these exploits within the marketplace and earn additional residual income.
ExploitHub is the first legitimate marketplace for validated, non-zero-day exploits for penetration testers to acquire exploits in order to perform more comprehensive testing.
ExploitHub’s integrated bounty system allows users to request development of an exploit against any vulnerability. Customers can incentivize exploit authors by committing to pay a fixed one-time “bounty’ upon delivery. Authors retain rights to the exploit for future sales and earn residual income.
ExploitHub is launching this feature and seeding the bounty system by funding pay-outs for the following “dirty dozen’ client-side exploits. These previously disclosed vulnerabilities were identified as affecting typical enterprise networks.
Exploits with a bounty:
- CVE-2011-1256: Microsoft Internet Explorer CElement Memory Corruption: $300
- CVE-2011-1266: Microsoft Internet Explorer VML vgx.dll Use After Free: $500
- CVE-2011-1261: Microsoft Internet Explorer selection.empty Use After Free: $500
- CVE-2011-1262: Microsoft Internet Explorer Redirect Memory Corruption: $300
- CVE-2011-1963: Microsoft Internet Explorer XSLT Memory Corruption: $500
- CVE-2011-1964: Microsoft Internet Explorer Style Object Memory Corruption: $500
- CVE-2011-0094: Microsoft Internet Explorer CSS Use After Free Memory Corruption: $500
- CVE-2011-0038: Microsoft Internet Explorer 8 IESHIMS.DLL Insecure Library Loading: $200
- CVE-2011-0035: Microsoft Internet Explorer Deleted Data Source Object Memory Corruption: $300
- CVE-2010-3346: Microsoft Internet Explorer HTML Time Element Memory Corruption: $300
- CVE-2011-2110: Adobe Flash Player ActionScript Function Variable Arguments Information: $300
- CVE-2011-0628: Adobe Flash Player Remote Integer Overflow Code Execution: $300.
“Client-side exploits are the weapons of choice for modern attacks, including spear phishing and so-called APTs. Security professionals need to catch up,” said Rick Moy, CEO. “This program is designed to accelerate the development of testing tools, as well as help researchers do well by doing good.”