Turn Your Vulnerabilities into Advantages
SecuriTeam Secure Disclosure (SSD) provides the support you need to turn your experience uncovering security vulnerabilities into a highly paid career. SSD was designed by researchers for researchers and will give you the fast response and great support you need to make top dollar for your discoveries.
SSD helps security researchers from all over the world to take the next step toward getting properly compensated for their efforts. We work with some of the brightest and most highly compensated people in the security industry and can help you advance your game - regardless of whether you are a beginner or have been discovering security issues for years.
The process is simple; send us a brief description of a vulnerability you have discovered and Securiteam Secure Disclosure will act as your agent. With just a sentence or two description from you, we'll use our extensive contacts with vulnerability buyers to secure a list of potential purchasers. You then set a price for your vulnerability and we'll help negotiate a sale. SSD also ensures that the transaction is confidential or that you get full recognition, it's up to you.
Your work is valuable and SSD will help you get the compensation you deserve.
For more information, contact ssd[at]beyondsecurity.com
Take a look at recently published work from SSD:
Vulnerability Report Template
Researchers that plan on handing in material to the SecuriTeam Secure Disclosure program should provide as much information as possible on the item. Complete information will allow us to evaluate the item and make sure that it works as promised in our testing environment.
If you don't have your own submission template, you can this as a guideline. Feel free to add more details (if needed), skip parts that are not relevant or use your own format.
Vulnerability Report Form:
1) Vulnerability Title
2) Date of submission
3) Description of Product (from vendor/site)
4) Description of Vulnerability
4.5) Binary Affected
4.6) Binary Version
4.7) Binary MD5
5) Configuration Requirements
6) Vulnerability Requirements
7) Vulnerability Summary Information
7.1) Vulnerability Class
7.2) Affected Versions Tested
7.3) Affected Versions Assumed (explain assumption)
7.4) Unaffected Versions
7.5) Affected Platforms Tested (Windows, Linux, 32bit, 64bit, XP, Vista, 7, Ubuntu, etc)
7.6) Reliability Rating (Percentage)
7.7) Supported Targets (In what environment your PoC/exploit works 32bit/64bit, Windows, Linux, etc)
7.8) Attack Vector (Client Side File, Remote LAN, etc)
7.9) Exploitation Impact (Code Execution, Denial of Service, etc)
7.10) Exploitation Context (runs on Server/ attacks User)
7.11) Exploitation Indicators (crash of product, product closes and shell executes, log file indicates crash, etc)
7.11.1) In case of a just a "crash", how to debug and see the crash
7.11.2) In case of an exploit, how to change the shellcode
7.12) Perquisites (enabling certain checkboxes, certain configuration settings)
8) CVSS Score (use http://nvd.nist.gov/cvss.cfm?calculator&version=2 )
9) Vulnerability Workaround (can the vulnerability be mitigated by enabling some feature)
10) Vulnerability Technical Details
12) Items delivered (a list of files provided with the submission, what they do and how to use them, if any third-party are needed to compile the exploit please provide a URL, or reference to it)
Securiteam Secure Disclosure News:
I am happy to have had the opportunity to meet some of you the conferences I attended so far, as well as had the pleasure to pay entrance and flight expenses to some of you. We sponsored researchers for 3 conferences since 2016 has started. If you didn't send me yet which conference you would like to attend, do so as soon as possible so that we would have adequate time to try and arrange it.
Thanks to all you that have brought in new researchers to work with us, a reminder that if you do so, you will get a nice bonus of 2,000$. Email me for further details.
2016 started and our vulnerability purchasing scope had expanded, you can see this through some of our previous purchases that got patched by the vendors in our blog site: http://blogs.securiteam.com, as well as in the vendors' advisories.
1) The following is a list of our current interest range from our web applications buyers:
Vulnerability type: Remote Code Execution - either by file injection and execution or direct code execution. The executed code privileges is not a factor, obviously high privileges would provide a higher payout.
Authentication: Pre-Authentication vulnerabilities, for RoundCube (*) post-authentication RCE would also be accepted.2) The following is a list of our current interest range from our non-web application buyers:
Vulnerability Type: Vulnerabilities that lead to code execution, logical bypass, arbitrary file read / write, unauthorized access, etc
3) If you have any item that isn't listed above, don't fear, email me and I can tell you whether it is or not relevant. Even if it is not relevant at the moment, I may be able to find a new buyer for it.
Let me know if you have any questions, suggestions, or anything else that you would like to talk about.
SecuriTeam Secure Disclosure Newsletter 07
SecuriTeam Secure Disclosure Newsletter 06
SecuriTeam Secure Disclosure Newsletter 05
SecuriTeam Secure Disclosure Newsletter 04
SecuriTeam Secure Disclosure Newsletter 03
SecuriTeam Secure Disclosure Newsletter 02
SecuriTeam Secure Disclosure Newsletter 01