$8,000 Bounty for IE 7 and Windows Vista Flaws

Verisign has started offering bounties for flaws found in IE7 and Windows Vista, and even offering more for demonstration code, as long as it did not contain a malicious payload that is. They are offering the reward to hackers to get them to join their pay for flaw or Vulnerability Contributor Program

“Both Microsoft Internet Explorer and Microsoft Windows dominate their respective markets, and it is not surprising that the decision to update to the current release of Internet Explorer 7.0 and/or Windows Vista is fraught with uncertainty. Primary in the minds of IT security professionals is the question of vulnerabilities that may be present in these two groundbreaking products,” iDefense said in a note announcing the bounty.

The company said the motive of the challenge is to “help assuage this uncertainty.”

The rules are straightforward: iDefense will pay $8,000 for each submitted vulnerability that allows an attacker to remotely exploit and execute arbitrary code on either of the two Microsoft products.

Only the first submission for a given vulnerability will qualify for the payout, and iDefense will award no more than six payments of $8,000.

“If more than six submissions qualify, the earliest six submissions (based on submission date and time) will receive the award,” the company said, stressing that the iDefense team at VeriSign will be responsible for making the final determination of whether or not a submission qualifies for the award.

To qualify, the vulnerability “must be remotely exploitable and must allow arbitrary code execution in a default installation of Vista or IE 7.0. It [must] also exist in the latest version of the two products, with all available patches/upgrades applied.”

Flaws in release candidate or beta versions do not qualify, and iDefense’s rules make it clear that the vulnerability “must be original and not previously disclosed either publicly or to the vendor by another party.”

In addition to the $8,000 award for the flaw, iDefense will pay between $2,000 and $4,000, based on reliability, quality, readability and documentation, for working exploit code that exploits the submitted vulnerability. “The arbitrary code execution must be of an uploaded non-malicious payload. Submission of a malicious payload is grounds for disqualification from this phase of the challenge,” the company said. Source: eWeek

This is similar to 3com’sTipping Point which runs the Zero Day Initiative, it pays researchers for their unpublished vulnerabilities or exploit code, and the researchers give advanced notification. Microsoft, of course, feels this is not the best approach to security, especially since you know it will encourage a little more research, especially if they can figure them out very quickly.