If the folks at VeriSign Inc.'s iDefense Labs unit have their way, it won't be long before a remotely exploitable flaw in Windows Vista is identified. The group has offered an $8,000 bounty to any researcher who finds such a vulnerability, and will also pay handsomely for a working exploit.
The bounty is part of the company's Quarterly Vulnerability Challenge, an element of its broader Vulnerability Contributor Program through which it pays independent researchers for information on unpublished vulnerabilities and exploits. The practice has drawn fire from a number of software vendors, including Microsoft Corp. and Oracle Corp., but also has been duplicated by other groups. 3Com Corp.'s TippingPoint unit began a similar program, called the Zero Day Initiative, in 2005, through which it buys vulnerabilities and exploits.
Late last month researchers at security vendor Determina identified a flaw in Vista, but it was only exploitable by a local user. Microsoft acknowledged the vulnerability, which also affects older versions of Windows.
The latest iDefense challenge asks researchers to submit a new, unpublished, remotely exploitable vulnerability in either Vista or Internet Explorer 7.0 before the end of March. The flaw must enable an attacker to execute arbitrary code on one of the applications. The company will pay $8,000 for such a flaw, and said it will buy up to six flaws total. Anyone who submits working exploit code for a flaw in IE 7 or Vista can earn a bounty of $2,000 to $4,000, as well.
As justification for the Vista challenge, iDefense cited the dominance of Windows and IE, and said "that the decision to update to the current release of Internet Explorer 7.0 and/or Windows Vista is fraught with uncertainty. Primary in the minds of IT security professionals is the question of vulnerabilities that may be present in these two groundbreaking products." The company said the bounty challenge will help allay those fears.
The phenomenon of research organizations paying for vulnerability data has not been without its critics, but in many cases users say that as long as the organizations like iDefense and TippingPoint follow responsible disclosure practices , how the data on a new flaw gets to the affected vendor is of little importance. Someone is going to find the flaw eventually, so it's irrelevant whether the researcher was paid for it, this argument goes.
But software vendors have been critical of the pay-for-flaw market, saying that it encourages irresponsibility. The programs have flourished, despite some initial skepticism among researchers. By the end of its first year last summer, TippingPoint's ZDI had 400 registered researchers and had disclosed 30 flaws. Under the ZDI program, TippingPoint pays researchers on a sliding scale for finding new vulnerabilities in commercial software packages. The amount paid depends on a number of factors, including the severity of the flaw and whether the software it's in is widely deployed. TippingPoint then acts as a clearinghouse and submits the vulnerability data to the affected vendor and handles the rest of the disclosure process.
"The researchers don't have to deal with any of the frustration of dealing with the vendors," Dave Endler, director of security research at TippingPoint, said in an interview last year.