From owner-freebsd-questions@freebsd.org Wed Mar 6 22:38:37 2019 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 041BE1529B66; Wed, 6 Mar 2019 22:38:37 +0000 (UTC) (envelope-from grarpamp@gmail.com) Received: from mail-it1-x141.google.com (mail-it1-x141.google.com [IPv6:2607:f8b0:4864:20::141]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 19134749DE; Wed, 6 Mar 2019 22:38:36 +0000 (UTC) (envelope-from grarpamp@gmail.com) Received: by mail-it1-x141.google.com with SMTP id l15so12747041iti.4; Wed, 06 Mar 2019 14:38:36 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to:cc; bh=1ICLI/H9ekQO4UMiBhrYU2HY3hqr4Gy/Ep+Yt2JxEPU=; b=P8b+c6jzhtNcvFtzBxWKrgsYP9QZlj4Xfj2iXHuPOlcUW+tb7MsWDIMjExxXOQH+IL n5k4euEkBLfnzN7e8AsQ+AezfObuJM7+xP+ave0RMc32OTWrxExx/8shBFyOJ/mrXGfd mHIIuOIf4xfuNufYi/xpDhu2XtAcmNLYoYrDWUlBSz/nsd66LRoQqSj3xr0wEfyTo14B SVaPQVHi4BergIX7n86UTJP2xvIKuFnPTfvlLVrdA8XHRxM7MA/nQ5RhCqVo44YZ+YGm h14kc7Xrf7fLRHscF/5951Is5YEyRIyL9roB0/7buLlhBCNJQGG/C7JxiNifQLQHBejJ uKrw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to:cc; bh=1ICLI/H9ekQO4UMiBhrYU2HY3hqr4Gy/Ep+Yt2JxEPU=; b=lM5XrzBsAJoEKUcM2gcrdg0nigCGzA+UNcLsIWUmTMZow/4Oj4ideX+9vOdizjveS3 iAOFS1wAtYNlQDSNNpBWgaSqlFQZgTDodQ/OG4Ygx7SF1RGSff2DpUgK1GdWyLJsjKzT VvnAxYBOkvouZsizexh5SZYzLfTy3N7NRPycBY4RDFt1//X5KB71tSRt/Yu31a6huM9I wY6zbu2ViDXRFzCt4eY+9nGTBxgX2trF1p0SU3v5POv6D2RkRYSzXtVqOtGz4nnUHSwY 7aGj3ChEcVMAXQisgtiiOi5dqxjlxoZwv+3f3zUcDiOBOX2kWhxv0cCZxtBhnE/Z/Nvf A2eA== X-Gm-Message-State: APjAAAV7YzymW8fF1qI4BmXd8Z43G/1oMwcoAXLQgeY58/ZlRFPk5Ptt QoqCrpUvk2XNxtv78ejMirXEXAP0JhnugBvjjWPP3vkuL9g= X-Google-Smtp-Source: APXvYqyB46pU235yjZZTe/l4PAmUSROcljBXwUqUxqCcGCukiUrjmuzo4Dh2K5HPuVVtNTaE0WyDAO3zRQ+WQf8cgig= X-Received: by 2002:a24:5407:: with SMTP id t7mr3813014ita.128.1551911914873; Wed, 06 Mar 2019 14:38:34 -0800 (PST) MIME-Version: 1.0 Received: by 2002:a02:b5ae:0:0:0:0:0 with HTTP; Wed, 6 Mar 2019 14:38:34 -0800 (PST) From: grarpamp Date: Wed, 6 Mar 2019 17:38:34 -0500 Message-ID: Subject: BSD and Linux so easy to exploit that Zerodium pays just $50k for uid0 To: freebsd-questions@freebsd.org Cc: freebsd-security@freebsd.org Content-Type: text/plain; charset="UTF-8" X-Rspamd-Queue-Id: 19134749DE X-Spamd-Bar: --- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=gmail.com header.s=20161025 header.b=P8b+c6jz; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (mx1.freebsd.org: domain of grarpamp@gmail.com designates 2607:f8b0:4864:20::141 as permitted sender) smtp.mailfrom=grarpamp@gmail.com X-Spamd-Result: default: False [-3.41 / 15.00]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-0.999,0]; R_DKIM_ALLOW(-0.20)[gmail.com:s=20161025]; FROM_HAS_DN(0.00)[]; R_SPF_ALLOW(-0.20)[+ip6:2607:f8b0:4000::/36]; FREEMAIL_FROM(0.00)[gmail.com]; MIME_GOOD(-0.10)[text/plain]; SUBJECT_HAS_CURRENCY(1.00)[]; TO_DN_NONE(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; RCVD_COUNT_THREE(0.00)[3]; IP_SCORE(-0.52)[ip: (2.22), ipnet: 2607:f8b0::/32(-2.70), asn: 15169(-2.04), country: US(-0.07)]; DKIM_TRACE(0.00)[gmail.com:+]; MX_GOOD(-0.01)[cached: alt3.gmail-smtp-in.l.google.com]; RCPT_COUNT_TWO(0.00)[2]; RCVD_IN_DNSWL_NONE(0.00)[1.4.1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.0.4.6.8.4.0.b.8.f.7.0.6.2.list.dnswl.org : 127.0.5.0]; DMARC_POLICY_ALLOW(-0.50)[gmail.com,none]; NEURAL_HAM_SHORT(-0.88)[-0.880,0]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; FREEMAIL_ENVFROM(0.00)[gmail.com]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US]; RCVD_TLS_LAST(0.00)[]; DWL_DNSWL_NONE(0.00)[gmail.com.dwl.dnswl.org : 127.0.5.0] X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 06 Mar 2019 22:38:37 -0000 https://zerodium.com/program.html "the research becomes the exclusive property of ZERODIUM and you are not allowed to re-sell, share, or report the research to any other person or entity." Opensource Unix Foundations should strongly consider forming open collaborative crowdfunding and paying similar to openly acquire and fix exploits thus keeping them from going into secret blackholes which are often used directly against their very own users requiring, and in, security sensitive environments (be they corp, gov, personal, edu, ngo, biz, research, journalism, etc...), reducing continued exploitation of the work, users, and infrastructures of Opensource Unix OS projects through using bounties to identify improving production, review, security, audit, coding, feedback models in same. "Many ... have bug bounty programs for those who want the exploit used for defensive purposes, ie fixed... but they pay orders of magnitude less. *This is a problem.*" -- Bruce Reassert and 0wn the problem.