Security hole in windows server 2008, how to make money out of it ?

views:

answers:

+1 Q:

Security hole in windows server 2008, how to make money out of it ?

Playing with windows server 2008 and IIS 7 I encountered a weakness which allows running an executable on the web server. I tried my friends VPS server and it seems working on at least web and enterprise editions. I'm not a hacker and just found it accidentally when I was testing my web application.

The question is how can I report it and make money legally and how much they would pay approximately ?

+2 A:

Try ZDI. It looks like iDefense has something similar (VCP).

Noon Silk 2010-10-24 08:52:47

Thanks. Useful link.

Xaqron 2010-10-24 08:54:19

+2 A:

Fill out a vulnerability report, this will get you a CVE number for the issue. Put it on a resume. Microsoft like most vendor do not provide a bounty for bugs. Provding bounties for vulnerabilities DOES NOT WORK. However Firefox and Chrome will give you a few thousand dollars for a serious flaw.

Rook 2010-10-24 09:06:27

They don't pay for what they need ?! They are selling it right now and if somebody use this weakness then its illegal and he should go to jail. It seems law is on his (Billy) side. Since I'm not a criminal I should just reveal it to vendor for nothing or few dollars ? It's not fair.

Xaqron 2010-10-24 09:24:05

@Xaqron http://www.schneier.com/blog/archives/2005/12/bug_bounties_ar.html

Rook 2010-10-24 09:26:05

@Xaqron Also I have about +30 cve numbers to my name, and i haven't been paid for a single one. I hunt regularly and found another vulnerability worthy of a CVE less than an hour ago. It looks good on a resume, you get notoriety as a hacker and most of all its FUN.

Rook 2010-10-24 09:27:25

You mean "Mozilla and Google" in your answer... browsers can't give money :P </nitpicking>

BoltClock 2010-10-24 09:30:14

ansaurus

tags:

views:

answers:

Security hole in windows server 2008, how to make money out of it ?

related questions