A few weeks ago the Metasploit team announced a bounty program for a list of 30 vulnerabilities that were still missing Metasploit exploit modules. The results so far have been extremely positive and I wanted to take a minute to share some of the statistics.
As of last night, there have been 27 participants in the bounty program resulting in 10 submissions, with 5 of those already comitted to the open source repository and the rest in varying states of completeness.
One vulnerability was proven to be incredibly difficult (and likely impossible) to exploit, as Joshua Drake writes in his extensive blog post about the research process. For those who haven't spent a week banging your head against a difficult bug, this post can give you an idea how much work is involved just to state whether or not a security flaw is exploitable. Microsoft bulletins tend to error on the side of exploitability even when there isn't direct evidence to make the case for code execution.
Christopher Mcbee (Hal) deserves recognition for being the first person to submit a module for the Siemens FactoryLink vulnerability.
Alino was not only the first person to claim a $500 bounty, but he also managed to complete a second bounty as well!
Not everything went according to plan; three participants gave up before the one week deadline, eleven folks were not able to submit something in time, and one was disqualified for attempting to submit a snippet of commercial code as their own. One thing has been clear though; the Metasploit Community includes some amazing exploit developers and has an energy level that is tough to find in any other area of information security. Since the bounty was announced we have seen a record level of new patches, modules, suggestions, and community participation in the development process.
The bounty program is still running until July 20th; if you haven't had a chance to look at the list, you are running out of time to claim an item before the final deadline. Thanks again to everyone who participated so far and keep the submissions coming!