Want a $200k TIP? ZDI sticks bounties on bugs in big-name server code
Pwn web publishing tools, HTTP servers on Linux and Windows and earn a nice bonus
A bunch of new bug bounty rewards are up for grabs from the Zero Day Initiative, in a first-come, best-dressed program kicking off on August 1.
The Trend Micro-backed operation announced on July 24 what it called the Targeted Incentive Program (TIP). Besides the mention of Microsoft Windows Server 2016, the TIP focuses paying out cash for vulnerabilities found in open-source server-side products.
Bounty hunters, armed with fuzzers and exploits, will be rewarded if they're the first to exploit previously unseen bugs in one of the target platforms shown in the table below.
|Target||Operating System||Bounty in USD||Competition open dates|
|Joomla||Ubuntu Server 18.04 x64||$25,000||August 2018 through September 2018|
|Drupal||Ubuntu Server 18.04 x64||$25,000||August 2018 through September 2018|
|WordPress||Ubuntu Server 18.04 x64||$35,000||August 2018 through October 2018|
|NGINX||Ubuntu Server 18.04 x64||$200,000||August 2018 through November 2018|
|Apache HTTP Server||Ubuntu Server 18.04 x64||$200,000||August 2018 through December 2018|
|Microsoft IIS||Windows Server 2016 x64||$200,000||August 2018 through January 2019|
The ZDI stated once a target is pwned, it will be removed from the list and replaced by another.
A harmless proof-of-concept demo won't fill a white-hat's bank account: the TIP seeks fully functioning exploits of zero-day vulnerabilities, affecting “the core code of the selected target.”
Along the way, a winning attacker has to defeat mitigations including sandboxes, Address Space Layout Randomization (ASLR), operating system protections, and so on, and a vulnerability must lead to arbitrary code execution to qualify. Reported flaws will be passed on to vendors to patch. Good luck. ®