VeriSign's iDefense Lab is paying hackers $8,000 for code execution flaws in Vista and IE7.
Is this behavior we should encourage? If it serves the greater good I suppose, but it feels strange.
The rules of engagement from the quarterly iDefense vulnerability challenge:
iDefense will pay $8,000 for each submitted vulnerability that allows an attacker to remotely exploit and execute arbitrary code on either of these two products. Only the first submission for a given vulnerability will qualify for the award, and iDefense will award no more than six payments of $8,000. If more than six submissions qualify, the earliest six submissions (based on submission date and time) will receive the award.
And you get bonuses of $2,000 to $4,000 for working exploit code for the submitted vulnerability.
eWeek's Ryan Naraine notes that iDefense isn't the only outfit offering flaw bounties.
3Com's TippingPoint runs a similar program, called Zero Day Initiative, that pays researchers who agree to give up exclusive rights to advance notification of unpublished vulnerabilities or exploit code. The companies act as intermediaries in the disclosure process—handling the process of coordinating with the affected vendor—and use the vulnerability information to beef up protection mechanisms in their own security software, which is sold to third parties.
Needless to say, Microsoft is not too pleased with these flaw bounties, but that's not all too surprising. It's debatable whether these contests help protect the public. But then again Microsoft's inability to patch current critical flaws isn't helping much either.