By Ryan Naraine
January 10, 2007
VeriSign's iDefense Labs has placed an $8,000 bounty on remote code
execution holes in Windows Vista and Internet Explorer 7.
The Reston, Va., security intelligence outfit threw out the monetary
reward to hackers as part of a challenge program aimed at luring
researchers to its controversial pay-for-flaw VCP (Vulnerability
The launch of the latest hacking challenge comes less than a month after
researchers at Trend Micro discovered Vista flaws being hawked on
underground sites at $50,000 a pop and illustrates the growth of the
market for information on software vulnerabilities.
iDefense isn't the only brand-name player in the market. 3Com's
TippingPoint runs a similar program, called Zero Day Initiative, that
pays researchers who agree to give up exclusive rights to advance
notification of unpublished vulnerabilities or exploit code.
The companies act as intermediaries in the disclosure processhandling
the process of coordinating with the affected vendorand use the
vulnerability information to beef up protection mechanisms in their own
security software, which is sold to third parties.
"Both Microsoft Internet Explorer and Microsoft Windows dominate their
respective markets, and it is not surprising that the decision to update
to the current release of Internet Explorer 7.0 and/or Windows Vista is
fraught with uncertainty. Primary in the minds of IT security
professionals is the question of vulnerabilities that may be present in
these two groundbreaking products," iDefense said in a note announcing
The company said the motive of the challenge is to "help assuage this
The rules are straightforward: iDefense will pay $8,000 for each
submitted vulnerability that allows an attacker to remotely exploit and
execute arbitrary code on either of the two Microsoft products.
Only the first submission for a given vulnerability will qualify for the
payout, and iDefense will award no more than six payments of $8,000.
"If more than six submissions qualify, the earliest six submissions
(based on submission date and time) will receive the award," the company
said, stressing that the iDefense team at VeriSign will be responsible
for making the final determination of whether or not a submission
qualifies for the award.
To qualify, the vulnerability "must be remotely exploitable and must
allow arbitrary code execution in a default installation of Vista or IE
7.0. It [must] also exist in the latest version of the two products,
with all available patches/upgrades applied."
Flaws in release candidate or beta versions do not qualify, and
iDefense's rules make it clear that the vulnerability "must be original
and not previously disclosed either publicly or to the vendor by another
In addition to the $8,000 award for the flaw, iDefense will pay between
$2,000 and $4,000, based on reliability, quality, readability and
documentation, for working exploit code that exploits the submitted
vulnerability. "The arbitrary code execution must be of an uploaded
non-malicious payload. Submission of a malicious payload is grounds for
disqualification from this phase of the challenge," the company said.
Microsoft typically frowns on the broker market for flaws in its
products. "We do not believe that offering compensation for
vulnerability information is the best way [researchers] can help protect
customers," the company said during the last iDefense hacking challenge.
"Microsoft believes that responsible disclosure, which involves making
sure that an update is available from software vendors the same day the
vulnerability is first broadly known, is the best way to protect the end
user," a Microsoft spokesperson, in Redmond, Wash., said at that time.
Subscribe to InfoSec News