If the folks at VeriSign Inc.'s iDefense Labs unit have their way,
it won't be long before a remotely exploitable flaw in Windows
Vista is identified. The group has offered an $8,000 bounty to any
researcher who finds such a vulnerability, and will also pay
handsomely for a working exploit.
The bounty is part of the company's Quarterly Vulnerability
Challenge, an element of its
broader Vulnerability Contributor Program
through which it pays independent researchers for information on
unpublished vulnerabilities and exploits. The practice has drawn
fire from a number of software vendors, including Microsoft Corp.
and Oracle Corp., but also has been duplicated by other groups.
3Com Corp.'s TippingPoint unit began a similar program, called the
Zero Day Initiative, in 2005, through which it buys vulnerabilities
and exploits.
Late last month researchers at security vendor Determina
identified a
flaw in Vista, but it was only exploitable
by a local user. Microsoft acknowledged the vulnerability, which
also affects older versions of Windows.
The latest iDefense challenge asks researchers to submit a new,
unpublished, remotely exploitable vulnerability in either Vista or
Internet Explorer 7.0 before the end of March. The flaw must enable
an attacker to execute arbitrary code on one of the applications.
The company will pay $8,000 for such a flaw, and said it will buy
up to six flaws total. Anyone who submits working exploit code for
a flaw in IE 7 or Vista can earn a bounty of $2,000 to $4,000, as
well.
As justification for the Vista challenge, iDefense cited the
dominance of Windows and IE, and said "that the decision to update
to the current release of Internet Explorer 7.0 and/or Windows
Vista is fraught with uncertainty. Primary in the minds of IT
security professionals is the question of vulnerabilities that may
be present in these two groundbreaking products." The company said
the bounty challenge will help allay those fears.
The phenomenon of research organizations paying for
vulnerability data has not been without its critics, but in many
cases users say that as long as the organizations like iDefense and
TippingPoint follow
responsible disclosure practices , how the data on a new flaw
gets to the affected vendor is of little importance. Someone is
going to find the flaw eventually, so it's irrelevant whether the
researcher was paid for it, this argument goes.
But software vendors have been critical of the pay-for-flaw
market, saying that it encourages irresponsibility. The programs
have flourished, despite some initial skepticism among researchers.
By the end of its first year last summer, TippingPoint's ZDI had
400 registered researchers and had disclosed 30 flaws. Under the
ZDI program, TippingPoint pays researchers on a sliding scale for
finding new vulnerabilities in commercial software packages. The
amount paid depends on a number of factors, including the severity
of the flaw and whether the software it's in is widely deployed.
TippingPoint then acts as a clearinghouse and submits the
vulnerability data to the affected vendor and handles the rest of
the disclosure process.
"The researchers don't have to deal with any of the frustration
of dealing with the vendors," Dave Endler, director of security
research at TippingPoint, said in an interview last year.