Wow, the vuln Miller used to win, he actually discovered while researching for LAST year's contest.
Quote:
|
Miller said that the vulnerability he used in the contest was one that he had originally found while preparing for the contest last year. Instead of disclosing it at that time, he decided to save it for the contest this year, because the contest only pays for one bug per year.
|
He has an interesting point. He is discovering these vulnerabilities, should he be required to give them away for free? If Apple/MS/Mozilla/Google are paying people to uncover these issues, why should he do it for free?
Personally I think that to pay for any bug would be brutal for any company to try and administer, but I could see them offer to pay for bugs to people like this, people who have proven their abilities to find these issues.
If this guy has known about this issue for over a year, it is definitely possible that a cracker knows of similar things but is smart enough not to spread it as a mass worm.
BTW, Chrome was the only browser that wasn't hacked by the end of the first day. Apparently the sandbox feature works pretty well.
http://arstechnica.com/security/news...wn-contest.ars