Advertisement
 
To print: Select File and then Print from your browser's menu

--------------------------------------------------------------
This story was printed from ZDNet Australia.
--------------------------------------------------------------
iDefense offers bounty for Vista and IE7 flaws

By Tom Espiner, ZDNet UK
January 12, 2007
URL: http://www.zdnet.com.au/news/security/soa/iDefense-offers-bounty-for-Vista-and-IE7-flaws/0,130061744,339273017,00.htm


Security intelligence and analysis company iDefense will award an US$8,000 bounty for vulnerabilities found in Vista and Internet Explorer 7 (IE7).

iDefense, which became part of Verisign in July 2005, is offering the cash as part of its Vulnerability Contributor Program (VCP), which pays researchers who provide iDefense with advance notification of unpublished vulnerabilities and/or exploit code.

The offer, which is running as part of iDefense's first quarter 2007 vulnerability challenge until 31 March, 2007, is that iDefense will pay US$8,000 for news of each submitted vulnerability that allows an attacker to remotely exploit and execute arbitrary code on fully patched default versions of Vista or IE7.

iDefense will award no more than six payments of US$8,000 for vulnerabilties. In addition, the company is offering US$2,000 to US$4,000 for working, non-malicious exploits for the flaws. According to Trend Micro, exploits for Vista sell on the black market for up to US$50,000.

iDefense is offering the rewards due to concerns among the security community over Microsoft's latest operating system and browser, the company said.

"Both Microsoft Internet Explorer and Microsoft Windows dominate their respective markets, and it is not surprising that the decision to update to the current release of Internet Explorer 7 and/or Windows Vista is fraught with uncertainty," said iDefense in a statement.

"Primary in the minds of IT security professionals is the question of vulnerabilities that may be present in these two groundbreaking products."

Microsoft said it was aware of iDefense offering compensation for information regarding security vulnerabilities, but did not condone the method of offering flaw bounties.

"Microsoft does not offer compensation for information regarding security vulnerabilities and does not encourage that practice. Our policy is to credit security researchers who report vulnerabilities to us in a responsible manner," the company said in a statement.

iDefense's VCP, like TippingPoint's Zero Day Initiative, is designed to reward exclusive disclosure of vulnerabilities and exploits -- the exploit may not be immediately divulged to the affected vendor. In return the company gains control over disclosure and can update its own security products.

Tom Espiner reported for ZDNet UK from London

Copyright © 2009 CBS Interactive, a CBS Company. All Rights Reserved.
ZDNET is a registered service mark of CBS Interactive. ZDNET Logo is a service mark of CBS Interactive.