This time, email is the target: iDefense this week issued its latest quarterly vulnerability challenge to hackers, and this time it's looking for new remote code execution bugs in specific email clients and servers.
The contest focuses on the most popular email packages, including Microsoft Outlook, Mozilla Thunderbird, Microsoft Outlook Express, Sendmail SMTP daemon, and Microsoft Exchange Server.
iDefense's previous zero-day bug-hunting contest gave out awards for bugs in core Internet and intranet applications. (See iDefense Offers Bucks for New Bugs.) The email bug challenge offers between $8,000 and $12,000 - the winning submission gets $8,000, plus another $1,000 to $4,000 for proof-of-concept exploit code, depending on the reliability and quality of the POC.
Critics say bug contests are more a marketing ploy, and don't always yield quality research, but iDefense contends that it practices responsible disclosure, and alerts both the affected vendor and its customers simultaneously of a new zero-day.
The vulnerability must be for the latest (and fully patched) version of the designated email products, must be remotely exploitable, and must execute code on the targeted email client or server. Social engineering is prohibited: "In the context of this challenge only, exploitation includes the act of exploiting an e-mail client by opening the e-mail message with the default handler," according to iDefense's rules.
The bugs have to be original and not disclosed anywhere previously, and can't use or be caused by any third-party software on the target email client or server. The deadline is before midnight EST on December 31.
Kelly Jackson Higgins, Senior Editor, Dark Reading