VeriSign’s iDefense is offering big bucks, up to $12,000 for vulnerabilities found in Vista or IE7. VeriSign of course has an interest in this as their job is to provide secure Internet transactions. In fact, according to their website, they process as many as 18 billion Internet interactions each day. It is no wonder why they’re willing to pay big bucks for Microsoft’s flaws. iDefense, part of VeriSign does these Vulnerability Challenges quarterly, and the latest is just getting started.
According to an article over at eWeek.com, this comes about 1 month after some researchers at Trend Micro found that underground sites were offering $50,000 for each Vista flaw. The people getting $50,000 under the table probably won’t trade their even bigger bucks for the $8,000 that iDefense is offering. iDefense is willing to pay for a maximum of six vulnerabilities, each at $8,000. Then they will also pay $2,000-$4,000 for working exploit code that exploits the vulnerability that was submitted. The additional amounts will be based upon
- Reliability of the exploit
- Quality of the exploit code
- Readability of the exploit code
- Documentation of the exploit code
If you’re interested in being a bug hunter, there’s a list of rules you’ll want to take a look at. Among them are: the vulnerability can’t be caused by or require third party software installed, or it can’t require additional social engineering beyond browsing a malicious site. The deadline is March 31st.
iDefense isn’t the only company offering money for vulnerabilities. TippingPoint, a division of 3Com has a program called Zero Day Initiative, or ZDI. Their program is similar, if a research discovers a vulnerability, they log into ZDI to submit it. 3com tests the vulnerability, and after they verify it, they offer the researcher money. They take it a bit further though, and offer reward points for each submission. Those reward points lead to bonuses and other cool benefits.
What does Microsoft have to say about all of this? “We do not believe that offering compensation for vulnerability information is the best way [researchers] can help protect customers.” Hmm.. with money being offered, I don’t think researchers are going to willingly call Microsoft and tip them for free when they could potentially make a good chunk of money. Sometimes it takes a little motivation$$$. I guess Microsoft still benefits because companies like VeriSign and 3Com contact them with the confirmed vulnerabilities so that they’re able to get a patch available. There’s no need for Microsoft to pay when others are willing to fork out money and do the work on their behalf!
With all of this said, the whole underlying factor of companies paying to find vulnerabilities is important. With all of the new code that is being released with these new programs, (which undoubtedly have a huge chunk of the market), it is really important that these vulnerabilities are found and patched as soon as possible. There are plenty of people that will be diligently searching for the bugs and vulnerabilities for their own financial gain at the expense of unsuspecting users.