iDefense contest offers as much as $12,000 for zero-day bugs and exploits in Vista, IE7

Psst. Wanna win $8,000 to $12,000?

iDefense Labs is holding a contest for hackers to come up with remote, arbitrary code-execution bugs in Microsoft Windows Vista and Internet Explorer 7. iDefense, which is part of VeriSign, will pay $8,000 for each vulnerability submitted that lets an attacker exploit code remotely on either of the two products. And if you write a working exploit for the winning vulnerability, iDefense will throw in another $2,000 to $4,000.

But no malicious payload, please: That disqualifies your exploit. iDefense will pay $8,000 for up to six bug submissions.

This isn't the first time iDefense has held bug contests. These are quarterly events at the security company; its most recent challenge to researchers was for instant messaging, and previous competitions offered cash for Windows flaws. Paying hackers for finding software bugs remains a controversial practice, and it plays into the "responsible" disclosure debate as well. (See Bucks for Bugs, Rift Widens Over Bug Disclosure, and Buggin' Out?)

"First we had the MOBB, the MOKB, and now the MOAB openly releasing vulnerabilities without contacting the vendor first as opposed to the normal open disclosure process, and now we have iDefense offering to buy day zero exploits," says Paul Henry, vice president of security evangelism for Secure Computing. "Releasing, and now trading in new exploits, is becoming an acceptable practice."

"What's next -- selling them on eBay? Sorry, but even that has been done before as well," Henry observes. "Remember the Excel vulnerability last year?"

The rules for this quarter's contest are the vulnerability must be original and not previously disclosed publicly or to Microsoft, exploitable and allow arbitrary code execution in the two products, and it must exist in the latest version of the technology with all patches and upgrades applied. It can't require additional third-party software on the targeted machine, and it can't require any social engineering "beyond browsing a malicious site," according to the competition notice.

"Both Microsoft Internet Explorer and Microsoft Windows dominate their respective markets, and it is not surprising that the decision to update the current release of Internet Explorer 7.0 and/or Windows Vista is fraught with uncertainty," iDefense Labs says in the competition notice.

And the contest is to "assuage this uncertainty" of vulnerabilities in these products, iDefense says in its notice.

So mark your calendar: The deadline for submissions is before midnight EST, March 31.

— Kelly Jackson Higgins, Senior Editor, Dark Reading

About the Author(s)

Kelly Jackson Higgins, Editor-in-Chief, Dark Reading

Kelly Jackson Higgins is the Editor-in-Chief of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, Virginia Business magazine, and other major media properties. Jackson Higgins was recently selected as one of the Top 10 Cybersecurity Journalists in the US, and named as one of Folio's 2019 Top Women in Media. She began her career as a sports writer in the Washington, DC metropolitan area, and earned her BA at William & Mary. Follow her on Twitter @kjhiggins.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights