iDefense Posts $12,000 Bounty On Vista, IE 7 Bugs

The rewards are part of the security company's Vulnerability Contributor Program bounty scheme. The company has conducted higher-reward challenges like the Vista-IE 7 contest since early 2006.

"Both [Vista and IE 7] are new, and the number-one question from our customers is, 'should we adopt them, are these really secure?'" says Frederick Doyle, iDefense director of research in explaining the choices.

iDefense will pay the first six bug contributors $8,000 for new vulnerabilities that can be used to execute remote code—typically pegged "critical" by Microsoft—on a fully-patched system running Vista or IE 7. An additional $2,000 to $4,000 will be paid if the researcher comes up with working exploit code for his or her bug. Flaws in beta versions of either product aren't eligible for the bounty, which ends March 31.

Doyle wouldn't guess on how many vulnerabilities his team might receive. "It's too uncertain right now how vulnerable they are. Windows Vista is, though, the most secure operating system Microsoft has produced."

Previous challenges have posted bounties that topped out at $10,000; the boost, says Doyle, is a way to reward researchers who go the extra mile. "Some approach it in a very scientific way, but others just do the minimum amount of work, so we're restructuring the payments to reward the people who do a better job" by coming up with an additional exploit code.

iDefense is one of two security companies that pay researchers for vulnerabilities. The other, 3com's TippingPoint, also hands out cash rewards. The programs, claims iDefense, have been successful: One in four flaws patched by Microsoft in June, for example, were credited to bounty hunters. But both companies have been criticized by rival researchers, who argue that the rewards motivate hackers to dig up even more bugs.

Doyle's answer: "I doubt that if we stopped [offering rewards] that the vulnerability researchers would stop their research. This is to give our customers a competitive advantage." Both iDefense and TippingPoint defend their bug bounty programs as one more way to investigate vulnerabilities so they can then provide pre-emptive intelligence to enterprises and other clients.

Microsoft's response to iDefense targeting its operating system and browser was surprisingly muted. "Microsoft does not oppose programs that work through the established processes for responsible disclosure, and do not put customers at risk," a company spokesperson said in an e-mail.

"Microsoft doesn't want to speculate on the motives of third-party researchers but will say it is committed to working with them closely on the issues they bring to our attention. Whoever handles vulnerabilities, Microsoft does encourage them to responsibly disclose the vulnerability to the affected software vendor in order to protect all customers/users," the e-mail said.

For Microsoft, the term "responsible disclosure," which is often used by the company in its dealings with independent researchers, means that the vulnerability isn't made public until a patch has been produced by Microsoft's security team.

More information on the Vista and IE 7 bug hunt can be found on the iDefense Web site.