"There's a misconception that anyone who finds a vulnerability is malicious," says David Endler, director of security research at 3Com and TippingPoint. "There are legitimate security researchers, but not all of them know what to do with their findings."

Once TippingPoint evaluates the information submitted, it makes the independent researcher a financial offer based upon the value of the vulnerability to TippingPoint customers, though the company won't say how much it pays. Once a price is agreed upon, TippingPoint requires the researchers to send the company a copy of a government-issued identification and other information to verify their identity and collect their bounty.

Some say that bounties work because they attract security researchers whose work would otherwise be ignored by big software vendors. "If you get some researcher with a handle of 'xyoc,' will Microsoft talk to this guy?" says Ken Dunham, director of the rapid response team at iDefense, a security research group that VeriSign bought in July 2005. Through iDefense, VeriSign pays researchers who provide it with notice of unpublished vulnerabilities and exploit code. Created in 2002, the program taps nearly 300 independent researchers.

IDefense pays a bounty of $10,000 for any vulnerabilities in Microsoft products that Microsoft classifies as critical. Paying for flaws may sound unsavory, but iDefense created its program after its researchers saw Microsoft WMF vulnerabilities being sold for $4,000 on the black market. "We're providing an outlet," says Joseph Payne, iDefense's president and COO. "There's already an underground market for these vulnerabilities."

Microsoft isn't keen on a $10,000 bounty to find critical flaws in its products. "Our preferred method is working with the community directly rather than creating an economy for this work," says George Stathakopoulos, a senior director of security at Microsoft. Still, Microsoft hasn't asked iDefense to drop the incentive program.

Redmond Reaches Out

Microsoft's acceptance of the security research community has come a long way, including acknowledging the gray areas in which they must work. "The notion of good and evil is confusing in this space," Stathakopoulos admits. "Our job is to understand this community and promote responsible disclosure."

Microsoft hardly wants a repeat of its Windows 2000 Plug and Play problem, when ISS researchers last year found a flaw that let attackers take complete control of affected systems and remotely execute code, leading to the various incarnations of the Zotob worm.