[Owasp-portland] Antivirus in the Enterprise - Is it dead yet?
tim.morgan at owasp.org
Wed Nov 18 22:09:36 UTC 2015
As a quick follow up, some data on what AV exploits might fetch in the
They list up to $40,000 for remote code execution or local privilege
escalation for AV bugs. That's for a fully working push-button
exploit. Suppose a talented person requires a full month of testing to
find one RCE. Then spends another month of work to develop a
weaponized exploit. That's still a healthy annual paycheck
(~$240000), and I know a number of researchers that now work
exclusively on bug bounties like this. This may be a reason we don't
hear about a lot more vulnerabilities these days. Of course many bugs
don't require nearly that much time for exploit development and
Tavis/Joxean found many more than that with much less search time.
More information about the OWASP-portland