SecuriTeam Secure Disclosure

Turn Your Vulnerabilities into Advantages

SecuriTeam Secure Disclosure (SSD) provides the support you need to turn your experience uncovering security vulnerabilities into a highly paid career. SSD was designed by researchers for researchers and will give you the fast response and great support you need to make top dollar for your discoveries.

SSD helps security researchers from all over the world to take the next step toward getting properly compensated for their efforts. We work with some of the brightest and most highly compensated people in the security industry and can help you advance your game - regardless of whether you are a beginner or have been discovering security issues for years.

The process is simple; send us a brief description of a vulnerability you have discovered and Securiteam Secure Disclosure will act as your agent. With just a sentence or two description from you, we'll use our extensive contacts with vulnerability buyers to secure a list of potential purchasers. You then set a price for your vulnerability and we'll help negotiate a sale. SSD also ensures that the transaction is confidential or that you get full recognition, it's up to you.

Your work is valuable and SSD will help you get the compensation you deserve.

For more information, contact ssd[at]beyondsecurity.com

Vulnerability Report Template

Researchers that plan on handing in material to the SecuriTeam Secure Disclosure program should provide as much information as possible on the item. Complete information will allow us to evaluate the item and make sure that it works as promised in our testing environment.

If you don't have your own submission template, you can this as a guideline. Feel free to add more details (if needed), skip parts that are not relevant or use your own format.

Vulnerability Report Form:

1) Vulnerability Title

2) Date of submission

3) Description of Product (from vendor/site)

4) Description of Vulnerability
4.1) Title
4.2) Product
4.3) Version
4.4) Homepage
4.5) Binary Affected
4.6) Binary Version
4.7) Binary MD5

5) Configuration Requirements

6) Vulnerability Requirements

7) Vulnerability Summary Information
7.1) Vulnerability Class
7.2) Affected Versions Tested
7.3) Affected Versions Assumed (explain assumption)
7.4) Unaffected Versions
7.5) Affected Platforms Tested (Windows, Linux, 32bit, 64bit, XP, Vista, 7, Ubuntu, etc)
7.6) Reliability Rating (Percentage)
7.7) Supported Targets (In what environment your PoC/exploit works 32bit/64bit, Windows, Linux, etc)
7.8) Attack Vector (Client Side File, Remote LAN, etc)
7.9) Exploitation Impact (Code Execution, Denial of Service, etc)
7.10) Exploitation Context (runs on Server/ attacks User)
7.11) Exploitation Indicators (crash of product, product closes and shell executes, log file indicates crash, etc)
7.11.1) In case of a just a "crash", how to debug and see the crash
7.11.2) In case of an exploit, how to change the shellcode
7.12) Perquisites (enabling certain checkboxes, certain configuration settings)

8) CVSS Score (use http://nvd.nist.gov/cvss.cfm?calculator&version=2 )

9) Vulnerability Workaround (can the vulnerability be mitigated by enabling some feature)

10) Vulnerability Technical Details

11) Exploitation

12) Items delivered (a list of files provided with the submission, what they do and how to use them, if any third-party are needed to compile the exploit please provide a URL, or reference to it)

Securiteam Secure Disclosure News:

Hi Everyone,

December is a great time for summarizing the past year, and this is what I intend to do in this newsletter, if you are just interested in the gift, jump to "Gift".

In the past year we have had great expansion in the number of researchers we have been working with, and this was mainly through your help. I hope you can help us get more researchers to join the program and work with us in 2015. Don't forget every new person you introduce to us will earn you 1,000$ USD as soon as they sell us their first vulnerability!

We have sponsored 12 different security conferences world-wide, in one case 3 events in the same month. We did our best to spread those security conferences to the three major continents - North America, Europe and Asia - to make it convenient to attend.

We have sponsored 15 of our researchers to attend some of those conferences, providing free entry to the conference and plane travel.

To keep with our researcher focus program, we redistributed the profits via bonus payments for returning to us with additional vulnerabilities. The bonus is paid for researchers who continue to sell to us at least an item per quarter.

We have coordinated the release of dozens of security advisories highlighting vulnerabilities in popular products, and we have many more pending vendor acknowledgement and patching.

What is up for next year? ================== Why don't you tell us?

We are currently working on our Roadmap for 2015 for the SSD project, we are working on conferences we would like you to attend and getting you paid more for the vulnerabilities you sell.

But maybe this isn't what you are want, maybe it is something else, why not let us know? Gift

We are going to give any active SSD researcher a small free gift. It is a "Zoom Checkpoint-Friendly Compu-Messenger Bag". For those not familiar with this bag, just Google it.

It is one of the more versatile bags, and for those traveling to the USA or in the USA it allows you to not take out your laptop at the checkpoint.

If you would like to receive the bag (did I mention it is free?), just send me back an email with your: Full Name Full Address Contact Phone Number

These details will be used for the FedEx/UPS (depending on your country) delivery of the bag - sorry for needing a Phone Number, this is a requirement for FedEx/UPS delivery.

I will be sending it to any researcher that asks, and the only restriction is that this gift is limited to 1 bag per researcher.

Thanks,
Noam Rathaus
Beyond Security

Past newsletters:
SecuriTeam Secure Disclosure Newsletter 03
SecuriTeam Secure Disclosure Newsletter 02
SecuriTeam Secure Disclosure Newsletter 01

More Info:

Beyond Security

is an Approved Scanning Vendor for the Payment Card Industry

Web Application Testing:

Discover security issues in web apps, web sites, their related equipment and databases