[Owasp-portland] Antivirus in the Enterprise - Is it dead yet?

Tim tim.morgan at owasp.org
Wed Nov 18 22:09:36 UTC 2015


Hi again,

As a quick follow up, some data on what AV exploits might fetch in the
grey market:
  https://zerodium.com/program.html

They list up to $40,000 for remote code execution or local privilege
escalation for AV bugs.  That's for a fully working push-button
exploit. Suppose a talented person requires a full month of testing to
find one RCE.  Then spends another month of work to develop a
weaponized exploit.  That's still a healthy annual paycheck
(~$240000), and I know a number of researchers that now work
exclusively on bug bounties like this.  This may be a reason we don't
hear about a lot more vulnerabilities these days.  Of course many bugs
don't require nearly that much time for exploit development and
Tavis/Joxean found many more than that with much less search time. 

tim


More information about the OWASP-portland mailing list