iDefense will pay $8,000 for new vulnerabilities that can be used to execute remote code, and an additional $2,000 to $4,000 for working exploit code.
VeriSign iDefense Labs will pay a $12,000 bounty for critical vulnerabilities in and exploit code for Microsoft's new Windows Vista operating system and Internet Explorer 7 browser. And Microsoft doesn't seem to mind.
The rewards are part of the security company's Vulnerability Contributor Program bounty scheme. The company has conducted higher-reward challenges like the Vista-IE 7 contest since early 2006.
"Both [Vista and IE 7] are new, and the number-one question from our customers is, 'should we adopt them, are these really secure?'" says Frederick Doyle, iDefense director of research in explaining the choices.
iDefense will pay the first six bug contributors $8,000 for new vulnerabilities that can be used to execute remote code—typically pegged "critical" by Microsoft—on a fully-patched system running Vista or IE 7. An additional $2,000 to $4,000 will be paid if the researcher comes up with working exploit code for his or her bug. Flaws in beta versions of either product aren't eligible for the bounty, which ends March 31.
Doyle wouldn't guess on how many vulnerabilities his team might receive. "It's too uncertain right now how vulnerable they are. Windows Vista is, though, the most secure operating system Microsoft has produced."
Previous challenges have posted bounties that topped out at $10,000; the boost, says Doyle, is a way to reward researchers who go the extra mile. "Some approach it in a very scientific way, but others just do the minimum amount of work, so we're restructuring the payments to reward the people who do a better job" by coming up with an additional exploit code.
iDefense is one of two security companies that pay researchers for vulnerabilities. The other, 3com's TippingPoint, also hands out cash rewards. The programs, claims iDefense, have been successful: One in four flaws patched by Microsoft in June, for example, were credited to bounty hunters. But both companies have been criticized by rival researchers, who argue that the rewards motivate hackers to dig up even more bugs.
Doyle's answer: "I doubt that if we stopped [offering rewards] that the vulnerability researchers would stop their research. This is to give our customers a competitive advantage." Both iDefense and TippingPoint defend their bug bounty programs as one more way to investigate vulnerabilities so they can then provide pre-emptive intelligence to enterprises and other clients.
Microsoft's response to iDefense targeting its operating system and browser was surprisingly muted. "Microsoft does not oppose programs that work through the established processes for responsible disclosure, and do not put customers at risk," a company spokesperson said in an e-mail.
"Microsoft doesn't want to speculate on the motives of third-party researchers but will say it is committed to working with them closely on the issues they bring to our attention. Whoever handles vulnerabilities, Microsoft does encourage them to responsibly disclose the vulnerability to the affected software vendor in order to protect all customers/users," the e-mail said.
For Microsoft, the term "responsible disclosure," which is often used by the company in its dealings with independent researchers, means that the vulnerability isn't made public until a patch has been produced by Microsoft's security team.
[Interop ITX 2017] State Of DevOps ReportThe DevOps movement brings application development and infrastructure operations together to increase efficiency and deploy applications more quickly. But embracing DevOps means making significant cultural, organizational, and technological changes. This research report will examine how and why IT organizations are adopting DevOps methodologies, the effects on their staff and processes, and the tools they are utilizing for the best results.
2017 State of IT ReportIn today's technology-driven world, "innovation" has become a basic expectation. IT leaders are tasked with making technical magic, improving customer experience, and boosting the bottom line -- yet often without any increase to the IT budget. How are organizations striking the balance between new initiatives and cost control? Download our report to learn about the biggest challenges and how savvy IT executives are overcoming them.