Easy Cash? iDefense Offers Reward For Vista/IE 7 Flaws

The cyberthreat analysis company announced on its Web site that it will offer up to $8,000 for each submitted vulnerability that allows an attacker to remotely exploit and execute arbitrary code on either Vista or IE7. The offer comes as iDefense's quarterly challenge.

"Both Microsoft Internet Explorer and Microsoft Windows dominate their respective markets, and it is not surprising that the decision to update to the current release of Internet Explorer 7.0 and/or Windows Vista is fraught with uncertainty," iDefense writes on its site. "Primary in the minds of IT security professionals is the question of vulnerabilities that may be present in these two groundbreaking products."

Only the first submission for a given vulnerability will qualify for the reward, and iDefense says it will award no more than six payments of $8,000. If more than six submissions qualify, the earliest six submissions, based on submission date and time, will receive the rewards. The iDefense team at VeriSign will be responsible for making the final determination of whether or not a submission qualifies for the reward. VeriSign acquired iDefense in 2005.

Here are the challenge's ground rules:

Sponsored post

The vulnerability must be remotely exploitable and must allow arbitrary code execution in a default installation of either Vista or IE7; The vulnerability must exist in the latest version of the affected technology with all available patches/upgrades applied; Release candidates, betas, and technology previews are not included in this challenge; The vulnerability must be original and not previously disclosed either publicly or to the vendor by another party; The vulnerability cannot be caused by or require any additional third-party software installed on the target system; and The vulnerability must not require additional social engineering beyond browsing a malicious site.

In addition to the $8,000 rewards, iDefense will pay between $2,000 and $4,000 for working exploit code that takes advantage of the submitted vulnerabilities. The arbitrary code execution must be of an uploaded non-malicious payload. Submission of a malicious payload is grounds for disqualification from this phase of the challenge.

The deadline for submission is before midnight on March 31.