[CentOS] bounties for exploits against CentOS?

Tue Jan 17 17:12:22 UTC 2012

On 1/17/2012 8:11 AM, Les Mikesell wrote:
> On Tue, Jan 17, 2012 at 9:04 AM, Bennett Haselton<bennett at peacefire.org>  wrote:
>> But there seems to be some consensus, at least, that exploits do get
>> found which allow apache to run arbitrary code (even under its
>> unprivileged account),
> Web servers are particularly prone to this because webapps are
> typically designed to map user input to some action in a fairly
> flexible way (i.e.by mapping the URL to a program and its inputs) and
> people can easily manipulate the URLs they send.  That leaves a lot of
> levels where buffer overflows or mis-parsing can  let unintended code
> execute.
>
>> and exploits do get found that elevate an
>> unprivileged user to root privileges.
> And it is best to assume that there are more that haven't been found...
>
>>   So you could offer, for example,
>> a bounty for anyone who finds a way to elevate the privilege of an
>> unprivileged account.  That's a lot less powerful than a complete
>> exploit that can be used against any server on the Internet, but it's
>> the kind of thing an attacker might use as part of a larger exploit.  So
>> would you feel safer using CentOS/Red Hat if Red Hat, for example,
>> offered a prize to anyone who could find a privilege-escalation exploit
>> like that?  Knowing that it would reduce the chance of a black hat
>> finding the exploit and using it as part of an attack?
> You'll never know when the last bug is found.

Well I'm assuming there is no "last bug"; rather, that as more and more 
bugs are found and fixed, the mean time to find the next one will get 
measurably larger.

Pretty much all software testing is predicated on this notion -- that as 
you find and fix more bugs (of any kind, not just security bugs), 
eventually the mean time to find the next bug should get larger.  
Otherwise, what's the point, if at the end of all your testing and 
fixing, users keep running into bugs at the same frequency as before?

The idea is that if you find and fix enough of them, eventually the mean 
time to find the next one, and hence the cost of finding the next one, 
will exceed the black-market value of the exploit, so it's no longer 
profitable for black hats to go looking for them.

On the other hand, it is conceivable that above a certain 
effort-threshold, the number of exploits to be found is essentially 
unlimited.  Maybe at the $25,000 level, the number of bugs to be found 
is so large, that no matter how many are found and fixed, the mean time 
to find the next one will always average about $25,000.  Meanwhile, if 
the black-market value of an exploit is more than that (say, $50,000), 
then the black hats will *never* run out of exploits.  This would have 
the unfortunate implication that not only is there no point in paying 
out bounties at that level (since it wouldn't make it any harder for a 
black hat to find a new exploit), but there would be no point in finding 
and fixing exploits at that level at all (unless you know a particular 
exploit is being used in the wild) -- since it will never get any harder 
for a black hat to find one!

> And if you don't know
> that, what have you gained by painting a target on your head?
>