Less than zero-day
[This was prepared the morning of October 1, but not posted because I expected more to come of the story rather quickly. It now appears that 1. is true.]
OK, so at Toorcon a couple of guys — one of whom works at SixApart — reported on a Firefox 0day.
These gents claim to have another 30 vulns that they are going to hold onto.
That’s interesting. Mozilla offers a $500 bug bounty. Therefore, I conclude that either:
- These guys do not have the 0days they claim to have, or
- They expect to get more than $500 for them elsewhere, or
- They dislike money
I find 3. hard to believe.