Find a Vista or IE 7 flaw, reel in $8,000

Summary:VeriSign's iDefense Lab is paying hackers $8,000 for code execution flaws in Vista and IE7. Is this behavior we should encourage?

VeriSign's iDefense Lab is paying hackers $8,000 for code execution flaws in Vista and IE7.

Is this behavior we should encourage? If it serves the greater good I suppose, but it feels  strange. 

The rules of engagement from the quarterly iDefense vulnerability challenge

iDefense will pay $8,000 for each submitted vulnerability that allows an attacker to remotely exploit and execute arbitrary code on either of these two products. Only the first submission for a given vulnerability will qualify for the award, and iDefense will award no more than six payments of $8,000. If more than six submissions qualify, the earliest six submissions (based on submission date and time) will receive the award.

And you get bonuses of $2,000 to $4,000 for working exploit code for the submitted vulnerability.

[poll id=39] 

eWeek's Ryan Naraine notes that iDefense isn't the only outfit offering flaw bounties.

3Com's TippingPoint runs a similar program, called Zero Day Initiative, that pays researchers who agree to give up exclusive rights to advance notification of unpublished vulnerabilities or exploit code. The companies act as intermediaries in the disclosure process—handling the process of coordinating with the affected vendor—and use the vulnerability information to beef up protection mechanisms in their own security software, which is sold to third parties.

Needless to say, Microsoft is not too pleased with these flaw bounties, but that's not all too surprising. It's debatable whether these contests help protect the public. But then again Microsoft's inability to patch current critical flaws isn't helping much either. 

Topics: Security


Larry Dignan is Editor in Chief of ZDNet and SmartPlanet as well as Editorial Director of ZDNet's sister site TechRepublic. He was most recently Executive Editor of News and Blogs at ZDNet. Prior to that he was executive news editor at eWeek and news editor at Baseline. He also served as the East Coast news editor and finance editor at CN... Full Bio

zdnet_core.socialButton.googleLabel Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.