Researchers can earn up to $4,400 for submitting working exploits against the 12 vulnerabilities, and retain the right to sell these exploits in the marketplace, NSS Labs said. Each exploit will be worth somewhere between $100 and $500. The first participant to submit a working exploit wins.
NSS Labs said the ExploitHub bounty program allows users to request development of an exploit against any vulnerability. Users can provide incentives to developers by committing to pay a fixed one-time ‘bounty’ upon delivery.
Ten of the “dirty dozen” vulnerabilities are in Microsoft's Internet Explorer browser, with the remaining two in Adobe Flash Player.
Submitted bounty candidates need to be client-side remote exploits resulting in code execution; PoC and denial of service do not count. Exploits under the bounty program are not currently available in the Metasploit framework community edition or other exploit toolkits, NSS said.
“Client-side exploits are the weapons of choice for modern attacks, including spear phishing and so-called APTs. Security professionals need to catch up,” said Rick Moy, chief executive officer at NSS Labs. “This program is designed to accelerate the development of testing tools, as well as help researchers do well by doing good.”