Psst. Wanna win $8,000 to $12,000?
iDefense Labs is holding a contest for hackers to come up with remote, arbitrary code-execution bugs in Microsoft Windows Vista and Internet Explorer 7. iDefense, which is part of VeriSign, will pay $8,000 for each vulnerability submitted that lets an attacker exploit code remotely on either of the two products. And if you write a working exploit for the winning vulnerability, iDefense will throw in another $2,000 to $4,000.
But no malicious payload, please: That disqualifies your exploit. iDefense will pay $8,000 for up to six bug submissions.
This isn't the first time iDefense has held bug contests. These are quarterly events at the security company; its most recent challenge to researchers was for instant messaging, and previous competitions offered cash for Windows flaws. Paying hackers for finding software bugs remains a controversial practice, and it plays into the "responsible" disclosure debate as well. (See Bucks for Bugs, Rift Widens Over Bug Disclosure, and Buggin' Out?)
"First we had the MOBB, the MOKB, and now the MOAB openly releasing vulnerabilities without contacting the vendor first as opposed to the normal open disclosure process, and now we have iDefense offering to buy day zero exploits," says Paul Henry, vice president of security evangelism for Secure Computing. "Releasing, and now trading in new exploits, is becoming an acceptable practice."
"What's next -- selling them on eBay? Sorry, but even that has been done before as well," Henry observes. "Remember the Excel vulnerability last year?"
The rules for this quarter's contest are the vulnerability must be original and not previously disclosed publicly or to Microsoft, exploitable and allow arbitrary code execution in the two products, and it must exist in the latest version of the technology with all patches and upgrades applied. It can't require additional third-party software on the targeted machine, and it can't require any social engineering "beyond browsing a malicious site," according to the competition notice.
"Both Microsoft Internet Explorer and Microsoft Windows dominate their respective markets, and it is not surprising that the decision to update the current release of Internet Explorer 7.0 and/or Windows Vista is fraught with uncertainty," iDefense Labs says in the competition notice.
And the contest is to "assuage this uncertainty" of vulnerabilities in these products, iDefense says in its notice.
So mark your calendar: The deadline for submissions is before midnight EST, March 31.
Kelly Jackson Higgins, Senior Editor, Dark Reading