The race to pick holes in Microsoft’s newest operating system and browser is
VeriSign’s iDefense Labs has kicked off its Vulnerability Contributor Program (VCP), a challenge to find remote arbitrary code execution vulnerabilities in Vista and Internet Explorer 7.0. VCP will pay $8,000 for the first six confirmed vulnerabilities.
It will pay an additional $2,000 to $4,000 for those who
also provide working exploit code for the submitted vulnerability, bringing
the total potential bounty to $12,000.
IDefense is looking for
vulnerabilities that are remotely exploitable and allow arbitrary code
execution without additional user interaction (like clicking an e-mail
attachment for example). Social engineering and other attacks
that require the user to do something other than actually just browsing a site
are not valid for this contest.
IDefense expects to receive well more than six reports of
vulnerabilities, but iDefense spokesman Jason Greenwood said the VCP stops at six because of budget constraints.
“We receive hundreds of vulnerability research submissions each month as
part of our normal contributor program,” Greenwood told
internetnews.com. “We expect to get many more than six submissions that
may qualify for this promotion.”
Microsoft does not endorse the challenge, and Greenwood said the company has not contacted VeriSign about the challenge. “We have a close working relationship with Microsoft and responsibly make them aware of vulnerabilities as we discover them,” Greenwood said.
That’s not to say that Microsoft isn’t aware of the iDefense challenge.
A Microsoft spokesperson told internetnews.com that Microsoft is
aware of iDefense offering compensation for information regarding security
vulnerabilities. The spokesperson added that Microsoft does not offer
compensation for information regarding security vulnerabilities and does not
encourage that practice.
“Our policy is to credit security researchers who report vulnerabilities to
us in a responsible manner,” the spokesperson said.
Though Microsoft will not pay for vulnerabilities, it won’t ignore
the vulnerabilities exposed by the challenge, either.
“Microsoft doesn’t want to speculate on the motives of third-party
researchers but will say it is committed to working with them closely on the
issues they bring to our attention,” the spokesperson said. “Whoever handles
vulnerabilities, Microsoft does encourage them to responsibly disclose the
vulnerability to the affected software vendor in order to protect all
VeriSign’s iDefense customers, however, may well get the leg up on Vista and
IE7 vulnerabilities, ahead of regular Microsoft users.
“Early notification of vulnerabilities is just one aspect of the research
the iDefense team does,” iDefense’s Greenwood said. “Our customers will
benefit from the challenge by knowing about potential threats before they
are exploited and giving them information to assess the potential risk prior
to a patch being put out by Microsoft.”