The team behind the Metasploit Project is launching its own version of a bug bounty program: cash payouts for working exploits. The group is hoping to get explit code for as many of its top 30 vulnerabilities as possible before the program expires later this summer.
Metasploit has put together a list of 30 separate vulnerabilities in a variety of applications that it is interested in getting exploits for. In order to qualify for the reward program, a participant just needs to choose a vulnerability from the list and develop a working exploit within a week’s time. If he can’t submit a working exploit in that time, then the bug is put back into the pool of available vulnerabilities for others to work on.
September 2, 2016 , 9:00 am
September 1, 2016 , 1:08 pm
September 1, 2016 , 11:52 am
The amount of money paid for a working exploit module for Metasploit depends on the value of the vulnerability. A module for one of the vulnerabilities in the top five list–which includes a flaw in Google Chrome and another in the Windows DNS client–is worth $500. Modules for vulnerabilities in the separate top 25 list are worth $100 each under the rules.
All of the modules submitted to Metasploit will be available under the Metasploit license, and the first participant who submits a working module is entitled to the bounty. The program ends on July 20.
The full rules are as follows:
The rewards for working exploits in Metasploit are well below the bounties paid by other organizations for high-value exploits. Google, for example, pays as much as $3133.7 for critical vulnerabilities in Chrome. However, Metasploit is an open-source community project and the program is not necessarily in the same vein as those run by Google, Mozilla and others, which are focused on finding bugs in their own applications.