Security intelligence company iDefense has sweetened its offer to hackers who sell it details on new software vulnerabilities. The change comes one day after rival TippingPoint started to offer rewards for pinpointing bugs.
Both companies are vying to be the first to know about security vulnerabilities in other companies' products. The payouts are used to gain a competitive edge over rivals by having their products recognise more vulnerabilities that may be exploited in attacks by cybercriminals. iDefense was acquired by VeriSign two weeks ago.
In an email on Tuesday to the popular Full Disclosure security mailing list, iDefense announced that it is doubling its payments for vulnerability submissions. Additionally, the company is increasing rewards to researchers who contribute regularly and now offers extra payouts to those who increase their submissions year-on-year, the email said.
Money has increasingly become an incentive for hackers. Programmes such those from TippingPoint and iDefense offer a legitimate way for them to get paid for their bug hunting. There is also an underground market for information on vulnerabilities. Cybercriminals pay top dollar for previously undisclosed flaws that they can then exploit to break into computer systems, experts have said.
iDefense said it did not make the changes in response to TippingPoint's competition, but to underscore its commitment to the program after being acquired by VeriSign. "However, it turns out that the timing is also good in that it helps us straddle the new competition," said Michael Sutton, a lab director at iDefense.
Both iDefense and TippingPoint work with the reporter of the bug to disclose it to the maker of the faulty software so a fix can be produced to protect users.
Only a few companies pay security researchers for finding software vulnerabilities. iDefense's Vulnerability Contributor Program has been around for three years. TippingPoint, part of 3Com, announced its Zero Day Initiative on Monday and will celebrate the launch Wednesday at the Black Hat security conference in Las Vegas.
Neither company discloses what amounts are paid for vulnerability information. However, Gael Delalleau, a French security researcher who has sold information to iDefense in the past, told ZDNet UK sister site CNET News.com that the payout is typically $300-$1,000 (£172-£574), depending on the vulnerability.
"That's less than a day's worth of consulting," he said in an email interview.
Delalleau welcomes TippingPoint's Zero Day Initiative as competition for the iDefense program. Security researchers might be able to get a fair price for their work now, he said. "I feel the amount should be at least equal to the time necessary to find and work on the vulnerability, with an hourly rate equal to that of a skilled consultant."
TippingPoint is not surprised by the competition. "There already was competition," said David Endler, director of security research at TippingPoint, noting that there is also an underground market for security vulnerabilities. "At the end of the day, the security researcher is going to be the winner."
iDefense and TippingPoint are both at Black Hat and the following Defcon hacker event to sell their programs to researchers.
Response to the programmes is mixed among security researchers. While Delalleau applauds the competition for security intelligence, others distrust the security companies and wonder if exploiting the flaw or selling it to criminal hackers could be too much of a lure.
"Can the security companies truly be trusted to diligently help to find a fix when their product is by its very nature dependent on insecure applications," said Keith McCanless, a security researcher who has been credited with finding security flaws in various products.
Emmanouel Kellinis, a security researcher in London, said he is certain many researchers would consider the programs if they can get paid. "On the other hand, there is a possibility that they can make more money by exploiting a vulnerability," he said.
