This article is more than 1 year old

Want a $200k TIP? ZDI sticks bounties on bugs in big-name server code

Pwn web publishing tools, HTTP servers on Linux and Windows and earn a nice bonus

A bunch of new bug bounty rewards are up for grabs from the Zero Day Initiative, in a first-come, best-dressed program kicking off on August 1.

The Trend Micro-backed operation announced on July 24 what it called the Targeted Incentive Program (TIP). Besides the mention of Microsoft Windows Server 2016, the TIP focuses paying out cash for vulnerabilities found in open-source server-side products.

Bounty hunters, armed with fuzzers and exploits, will be rewarded if they're the first to exploit previously unseen bugs in one of the target platforms shown in the table below.

Target Operating System Bounty in USD Competition open dates
Joomla Ubuntu Server 18.04 x64 $25,000 August 2018 through September 2018
Drupal Ubuntu Server 18.04 x64 $25,000 August 2018 through September 2018
WordPress Ubuntu Server 18.04 x64 $35,000 August 2018 through October 2018
NGINX Ubuntu Server 18.04 x64 $200,000 August 2018 through November 2018
Apache HTTP Server Ubuntu Server 18.04 x64 $200,000 August 2018 through December 2018
Microsoft IIS Windows Server 2016 x64 $200,000 August 2018 through January 2019

The ZDI stated once a target is pwned, it will be removed from the list and replaced by another.

A harmless proof-of-concept demo won't fill a white-hat's bank account: the TIP seeks fully functioning exploits of zero-day vulnerabilities, affecting “the core code of the selected target.”

Along the way, a winning attacker has to defeat mitigations including sandboxes, Address Space Layout Randomization (ASLR), operating system protections, and so on, and a vulnerability must lead to arbitrary code execution to qualify. Reported flaws will be passed on to vendors to patch. Good luck. ®

More about

TIP US OFF

Send us news


Other stories you might like