Metasploit Offers Bounties for Exploits

Rapid7 the company behind the Metasploit penetration testing framework is offering bounties to security researchers who can write exploits for 30 select vulnerabilities.

The program has a prize pool of $5,000 and will run until July 20, however, many of the 30 vulnerabilities have already been claimed.

The bounties are offered on a first-come, first-serve, basis, and amount to $500 for exploits for the top 5 vulnerabilities and $100 for the remaining 25.

A researcher can submit a claim for a vulnerability and once it is accepted, they have one week to submit a working exploit that must function as a Metasploit module.

The claim procedure was introduced in order to avoid multiple researchers developing modules for the same vulnerability and then not getting rewarded.

Claims can be made by sending an email to bounty@metasploit.com with the name of the vulnerability. At the moment of writing this article there are only eleven top 25 and one top 5 vulnerabilities left unclaimed.

There are a couple of rules for those taking up the challenge. For example, the exploits must bypass ASLR and DEP when applicable and must work reliably on all targets listed in the module.

The only top 5 vulnerability that no one has signed up for yet affects Google Chrome versions earlier than 11.0.696.71. The exploit must result in arbitrary code execution.

The others, which are currently unavailable, are located in Lotus Notes, IBM's Tivoli Directory Server, Windows GDI+ and the DNS resolution.

Top 25 contains a second Chrome vulnerability for which a remote code execution exploit is wanted, but no one signed up for it either. This is most probably because of the browser's native sandbox which is extremely difficult to bypass.

It's well known in the security community that writing reliable exploits is a lot harder than finding vulnerabilities. Considering that Mozilla and Google can pay up to $3,000 for a single vulnerability, $100 and $500 for exploits might sound unfair to some.

However, it's worth keeping in mind that Metasploit is an open source project to which security researchers usually contribute for free. Also, recognition from one's peers is probably more important in this case than money.