The team behind the Metasploit Project is launching its own version of a bug bounty program: cash payouts for working exploits. The group is hoping to get explit code for as many of its top 30 vulnerabilities as possible before the program expires later this summer.
Metasploit has put together a list of 30 separate vulnerabilities in a variety of applications that it is interested in getting exploits for. In order to qualify for the reward program, a participant just needs to choose a vulnerability from the list and develop a working exploit within a week’s time. If he can’t submit a working exploit in that time, then the bug is put back into the pool of available vulnerabilities for others to work on.
The amount of money paid for a working exploit module for Metasploit depends on the value of the vulnerability. A module for one of the vulnerabilities in the top five list–which includes a flaw in Google Chrome and another in the Windows DNS client–is worth $500. Modules for vulnerabilities in the separate top 25 list are worth $100 each under the rules.
All of the modules submitted to Metasploit will be available under the Metasploit license, and the first participant who submits a working module is entitled to the bounty. The program ends on July 20.
The full rules are as follows:
- All submissions must come from the Top 25 or Top 5 lists below
- All exploits should be submitted to Metasploit Redmine. 1 ticket per exploit.
- Modules MUST conform to the HACKING style guidelines
- Should work reliably on all targets listed in the module.
- Should bypass ASLR/DEP when applicable (ROP)
- English-based targets should be included
- Denial-of-service modules do not count
- Contributors may not be residents of a US embargoed country
The rewards for working exploits in Metasploit are well below the bounties paid by other organizations for high-value exploits. Google, for example, pays as much as $3133.7 for critical vulnerabilities in Chrome. However, Metasploit is an open-source community project and the program is not necessarily in the same vein as those run by Google, Mozilla and others, which are focused on finding bugs in their own applications.