Paid Advertising
web application security lab

Betting on Vulnerabilities - no Really, Who Wants Odds?

Quadszilla ran an interesting article on betting on who you think the biggest blog in technorati’s ranking.  While that’s pretty damned interesting (and feels very game-able - and great press for Technorati as well) it got me thinking.  Why hasn’t there ever been anything like this for hacking?  I mean we’ve all said it, “I bet you a buck so and so is hackable”.  Well I proposition that we take the top 500 Alexa sites (that’s probably too many to do odds on, but you could pick and choose) and do something similar.

We could set up a pool, and do it right.  Taking odds on who is hackable has a unique problem that most gambling does not - in that the users who are betting can actually change the output of the game.  Let’s say I rank Yahoo at 1:5 above MSN at 1:10.  Now people would be more likely to bet MSN and then hack it first.  The challenges involved for a bookie in this would be tremendous, but I’m sure they could be figured out.  Just like anything, it’s there will be winners and losers.

Of course, I’m mostly kidding, (gambling is illegal where I live and the legalities involved are highly questionable) but wouldn’t that be interesting? You could base it off of all sorts of vectors, like how many form fields it has, or how long the site function has been live (tried and true variable), etc…  There are a ton of factors, that could actually go a long way towards classifying how vulnerable a site is, just by the looks of it, rather than by doing any in depth penetration testing.  You’d probably need to change it based on what types of vulnerabilities found (one for cross site scripting, one for full shell access, one for complete data theft, etc…).  Pretty crazy concept!

2 Responses to “Betting on Vulnerabilities - no Really, Who Wants Odds?”

  1. Andy Says:

    Hypothetically speaking (no betting is taking place here, no sir) what odds would you put on your blog and why? Have you gone to any great lengths to harden WordPress here?

  2. RSnake Says:

    I answered your question on the main page, Andy, because I think this is a really good question, and worth going into a bit more. Thanks for writing!