A Web site that bills itself as a place where independent and open source software developers can hire each other has secured promises to award at least $1,435 to the first person who can develop a working exploit that takes advantage of newly disclosed and dangerous security hole in all supported versions of Microsoft Windows.
That reward, which is sure to only increase with each passing day, is offered to any developer who can devise an exploit for one of two critical vulnerabilities that Microsoft patched on Tuesday in its Remote Desktop Protocol (RDP is designed as a way to let administrators control and configure machines remotely over a network).
Update, 8:47 a.m.: The RDP exploit may already be available. There are unconfirmed reports that a working exploit for the RDP bug has been posted to Chinese-language forums.
The bounty comes courtesy of contributors to gun.io (pronounced gun-yo), a site that advances free and open software. The current bounty offered for the exploit is almost certainly far less than the price such a weapon could command the underground market, or even what a legitimate vulnerability research company like TippingPoint might pay for such research. But the site shows promise for organizing a grassroots effort at crafting exploits that can be used by attackers and defenders alike to test the security of desktops and the networks in which they run.
“We’re trying to advance the culture of independent software development – so we’ve made a place where indie developers can find other devs to help work on their projects and find gigs to work on when they need cash,” gun.io explains on the About section of the site.
Gun.io is the brainchild of Rich Jones, a 23-year-old Bostonite who just moved to Berkeley, Calif. Most recently, Jones ran a research P2P project called Anomos, which is an anonymous variant of the BitTorrent protocol. He also runs the OpenWatch Project, which uses mobile technology as a way of surveilling the police and other people in positions of power.
“I started Gun.io after working for a few years as a freelance developer and open source programmer,” Jones said in an email interview. “I wanted a way to get high quality, short term freelance jobs while also continuing to contribute back to the open source community. I’m particularly interested in the things that happen when people pool their money together, so we provide a free group fundraising platform for open source projects.”
Gun.io quietly launched about six months ago, and has already gained thousands of contributors. Until this week it had never offered a bounty for a software exploit, Jones said.
In fact, the RDP exploit is hardly the most lucrative coding project up for bid on the site. A project posted by user “Sushee” to develop a Flash game social network is offering $4,000. Another promises $2,000 for an open source Android Youtube application in support of individuals who are blind.
It’s not clear yet whether the open-source bounty model has a future for encouraging the development of software exploits. Most of the money for the RDP project was put up by Rapid7’s HD Moore. The Gun.io reward is for an exploit that can run as a module in Metasploit, an open source penetration testing platform that Moore created.
Jones said Moore’s donation brought with it a suggestion about a new nickname for Gun.io: “KiddieStarter.”
“If GitHub and oDesk had a baby, and then that baby had a baby with KickStarter, that baby would be Gun.io,” Jones joked. “Kickstarter for coders isn’t far off, but it’s not quite on the mark either. KickStarter is a person saying ‘Hey, give me money!,’ but Gun.io is a group of people saying ‘Hey! Somebody do this and take our money!'”