Less than zero-day
(Posted by cwalsh)
[This was prepared the morning of October 1, but not posted because I expected more to come of the story rather quickly. It now appears that 1. is true.]
OK, so at Toorcon a couple of guys -- one of whom works at SixApart -- reported on a Firefox 0day.
These gents claim to have another 30 vulns that they are going to hold onto.
That's interesting. Mozilla offers a $500 bug bounty. Therefore, I conclude that either:
- These guys do not have the 0days they claim to have, or
- They expect to get more than $500 for them elsewhere, or
- They dislike money
I find 3. hard to believe.
Bookmark this post: Posted by cwalsh on October 3, 2006 at 6:06 PM
in Security
, conferences
. You can:
comment, view comments (3),
see trackbacks (0) or
search Technorati.
Comments
Ok, third-hand information but...
I heard from a friend of those individuals, and they say they were just joking. So, option 1.
Posted by: Mr. X | October 3, 2006 8:19 PM
Agreed, Mr. X. That's what I was saying up top in the square brackets.
Posted by: Chris | October 3, 2006 8:26 PM
I've submitted a security critical bug to Mozilla and filed for a bug bounty, but have not received one. Do they actually pay up? If my experience is typical, that would explain the reluctance/apathy towards submitting further bugs.
Posted by: Tyler Close | October 5, 2006 2:28 PM