Security intelligence and analysis company iDefense is to offer an $8,000 bounty for vulnerabilities found in Vista and Internet Explorer 7 (IE7).
iDefense, which became part of Verisign in July 2005, is offering the cash as part of its Vulnerability Contributor Program (VCP), which pays researchers who provide iDefense with advance notification of unpublished vulnerabilities and/or exploit code.
The offer, which is running as part of iDefense's Q1 2007 vulnerability challenge until 31 March, 2007, is that iDefense will pay $8,000 (£4,117) for news of each submitted vulnerability that allows an attacker to remotely exploit and execute arbitrary code on fully patched default versions of Vista or IE7.
iDefense will award no more than six payments of $8,000 for vulnerabilties. In addition, the company is offering $2,000 to $4,000 for working, non-malicious exploits for the flaws. According to Trend Micro, exploits for Vista sell on the black market for up to $50,000.
iDefense is offering the rewards due to concerns among the security community over Microsoft's latest operating system and browser, the company said.
"Both Microsoft Internet Explorer and Microsoft Windows dominate their respective markets, and it is not surprising that the decision to update to the current release of Internet Explorer 7 and/or Windows Vista is fraught with uncertainty," said iDefense in a statement. "Primary in the minds of IT security professionals is the question of vulnerabilities that may be present in these two groundbreaking products," the announcement continued.
Microsoft said it was aware of iDefense offering compensation for information regarding security vulnerabilities, but did not condone the method of offering flaw bounties. "Microsoft does not offer compensation for information regarding security vulnerabilities and does not encourage that practice. Our policy is to credit security researchers who report vulnerabilities to us in a responsible manner," the company said in a statement.
iDefense's VCP, like TippingPoint's Zero Day Initiative, is designed to reward exclusive disclosure of vulnerabilities and exploits — the exploit may not be immediately divulged to the affected vendor. In return the company gains control over disclosure and can update its own security products.
