VeriSign’s iDefense Paying Big Bucks For Vista and IE 7 Bugs
VeriSign’s iDefense is offering big bucks, up to $12,000 for vulnerabilities found in Vista or IE7. VeriSign of course has an interest in this as their job is to provide secure Internet transactions. In fact, according to their website, they process as many as 18 billion Internet interactions each day. It is no wonder why they’re willing to pay big bucks for Microsoft’s flaws. iDefense, part of VeriSign does these Vulnerability Challenges quarterly, and the latest is just getting started.
According to an article over at eWeek.com, this comes about 1 month after some researchers at Trend Micro found that underground sites were offering $50,000 for each Vista flaw. The people getting $50,000 under the table probably won’t trade their even bigger bucks for the $8,000 that iDefense is offering. iDefense is willing to pay for a maximum of six vulnerabilities, each at $8,000. Then they will also pay $2,000-$4,000 for working exploit code that exploits the vulnerability that was submitted. The additional amounts will be based upon
- Reliability of the exploit
- Quality of the exploit code
- Readability of the exploit code
- Documentation of the exploit code
If you’re interested in being a bug hunter, there’s a list of rules you’ll want to take a look at. Among them are: the vulnerability can’t be caused by or require third party software installed, or it can’t require additional social engineering beyond browsing a malicious site. The deadline is March 31st.
iDefense isn’t the only company offering money for vulnerabilities. TippingPoint, a division of 3Com has a program called Zero Day Initiative, or ZDI. Their program is similar, if a research discovers a vulnerability, they log into ZDI to submit it. 3com tests the vulnerability, and after they verify it, they offer the researcher money. They take it a bit further though, and offer reward points for each submission. Those reward points lead to bonuses and other cool benefits.
What does Microsoft have to say about all of this? “We do not believe that offering compensation for vulnerability information is the best way [researchers] can help protect customers.” Hmm.. with money being offered, I don’t think researchers are going to willingly call Microsoft and tip them for free when they could potentially make a good chunk of money. Sometimes it takes a little motivation$$$. I guess Microsoft still benefits because companies like VeriSign and 3Com contact them with the confirmed vulnerabilities so that they’re able to get a patch available. There’s no need for Microsoft to pay when others are willing to fork out money and do the work on their behalf!
With all of this said, the whole underlying factor of companies paying to find vulnerabilities is important. With all of the new code that is being released with these new programs, (which undoubtedly have a huge chunk of the market), it is really important that these vulnerabilities are found and patched as soon as possible. There are plenty of people that will be diligently searching for the bugs and vulnerabilities for their own financial gain at the expense of unsuspecting users.
Enjoyed the post? Subscribe to our feed to get a daily dose of CyberNet!
Related Posts:
- CyberNotes: Secunia Software Inspector
- Windows Vista RC2 Expected Friday
- Microsoft To Release Vista Betas Monthly
- Each Windows Vista Version Will Get Its Own CD
- Vista Transformation Pack 5.5 Released
I don’t understand how VeriSign benefit except for image-wise.
An unsafe web is bad for business. If people felt that e-commerce was not safe they would not shop online. If no one is shopping online they VeriSign would sell fewer SSL certificates. Of course, VeriSign does more then sell SSL certificates but the idea is the same; an unsafe web is bad for business and buggy MS software endangers web surfers.
Now, one has to ask, “Is this smart business or is Microsoft being short-sighted?”
I understand MS doesn’t want to encourage the bad guys to find/publish exploits but they are going to do it any way. Microsoft should provide an incentive to researchers (honest ones) to help find exploits before the dishonest (blackhat hackers) do.
I know that Microsoft normally holds conventions to try and present security exploits, but I don’t think that is enough. They should have better prepared Vista by holding contests similar to this and to try and draw the fatal flaws out before it was even released…which would surely help make it the securest version of Windows yet.
They did, sort of. They did offer their developers a couple hundred bucks per bug found for a short time. The developers were suppose to find these bugs while not at work.
I’m sure a few hundred dollars is a lot of motivation, but when we’re talking several thousand that takes motivation to a whole new level. That is about the stage that greed enters in and people feel obligated to be the first ones to find the exploits and be among the select few who could actually say “I broke Windows and got paid well to do it!” This is probably going as far as to tempt Kevin Mitnick (world renowned hacker that now runs a security firm) to bust out the old-school hacking tricks!