Hi,

I have some question about this , why you recommend ZDF ??

And can we send them php(phpbb,punbb..) exploit ? when yes how much ther approximately pay for example a HAGH RISK phpbb exploit?

Thanks

I think they are not interested at all in phpbb , they are interested in applications widely used in organisations, they also rejects a lot so but when you get one interesting them , yes , they put on it so far much cash than idefense, believe me , that's why actually ZDI got a large part of my discoveries and I hope to continue with them as long as I can.

To note you will have to submit a paper describing the better the vulnerabilitie, a working proof of concept and anything useful as movie, snapshots , etc.

And after both parties are ok to work payment is ultra fast , the same week or the next one.

Here are more infos:

Submission Criteria
We are looking for the following criteria when determining to purchase submitted advisories:

The vulnerability must be remotely exploitable. Aside from server-side vulnerabilities we will also accept code execution vulnerabilities in e-mail and web clients and file format parsing vulnerabilities in commonly exchanged and trusted files.

The vulnerability should exist in the latest available version of the affected product. This is a general rule to which exceptions can be made for very popular software that tends to have a lag time associated with enterprise wide updating.

The vulnerability must exist in products with widespread deployment. We are only interested in purchasing vulnerability information that we would typically create protection filters against. This currently includes vulnerabilities in the major hardware and software products typically found in many environments.

If you have any questions or comments regarding our interest level in a particular advisory feel free to contact us directly or submit via the portal for review. The following is a list of vendors that we are interested in. Please note that this is not a complete list, you may submit advisories for vendors not on this list and they will be considered:

* 3Com / TippingPoint
* AT&T
* Adobe
* America Online
* Apache
* Apple Computer
* Avaya
* Cerulean Studios
* Check Point / SourceFire / Snort
* Cisco / Linksys
* Citrix
* Computer Associates
* Concurrent Versions System
* D-Link
* Enterasys
* F-Secure
* Hewlett-Packard
* IBM
* Internet Security Systems
* Ipswitch
* Juniper
* Lotus
* Lucent
* Macromedia
* McAfee
* Microsoft
* Mozilla
* MySQL
* NetIQ
* Netopia
* Netscape
* Network Associates
* Nortel
* Novell
* OpenSSH
* Oracle / PeopleSoft
* PGP
* PostgreSQL
* Qmail
* QUALCOMM
* RSA Security
* RealNetworks
* Research In Motion
* SAP
* SSH Communications Security
* Samba
* Sendmail
* Skype
* Sophos
* Squid
* Subversion
* Sun Microsystems
* Sybase
* Symantec / VERITAS
* Trend Micro
* WatchGuard

Ok thx .

do you know about other companies that probably are more interested in php exploit? Or are there only idefense and ZDI?



And ZDI accepts demonstration coded for metasploit ?

maybe you should try idefense.com or digitalarmaments.com , I dont really know both , just used idefense one time.

About metasploit yeah I think is ok, this is like a standard tool for CISSP who don't know really exploitations.

But the best way is, to send the exploit to all these companies and wait their offers ,and who give the best price we sell it them , isn't it?

yes and the cost depends of your work :)

But when we doesn't accept their offer what they do with the exploit? nothing?