VeriSign's security arm iDefense announced this week that the company would pay independent flaw finders $8,000 for each remotely exploitable flaw found in Microsoft's Windows Vista or Internet Explorer 7.
In its first Quarterly Vulnerability Challenge for 2007, iDefense offered $8,000 for each flaw that can be remotely exploited in Vista or Internet Explorer 7. The company will award bounties for up to six different vulnerabilities. The company will pay an additional $2,000 to $4,000 for working exploit code.
"Both Microsoft Internet Explorer and Microsoft Windows dominate their respective markets, and it is not surprising that the decision to update to the current release of Internet Explorer 7.0 and/or Windows Vista is fraught with uncertainty," the company said in the statement announcing the program. "Primary in the minds of IT security professionals is the question of vulnerabilities that may be present in these two groundbreaking products."
Offering money for flaws is still a controversial practice. iDefense established the Vulnerability Contributor Program in 2002 offering researchers cash for details of undisclosed flaws. The company later added quarterly and annual cash bonuses for the top contributors as well as rewards for referring other researchers.
iDefense is not alone in offering funds for flaws. Networking giant 3Com's subsidiary TippingPoint created its own version of the program in 2005. To form the initiative, TippingPoint brought on the original security manager--David Endler--who founded iDefense's program. The Mozilla Foundation has offered its own bounties for bugs found in Firefox, the open-source browser that has made significant marketshare gains in recent years because of perceived security issues with Microsoft's Internet Explorer.
The Quarterly Vulnerability Challenges target specific high-profile applications and software. Previous Quarterly Vulnerability Challenges focused on remotely exploitable flaws in instant messaging software and in the major browsers, including Apple's Safari, Mozilla's Firefox, and Opera's browser.
Posted by: Robert Lemos