[ISN] VeriSign Offers Hackers $8,000 Bounty on Vista, IE 7 Flaws

From: InfoSec News (alerts@private)
Date: Wed Jan 10 2007 - 22:35:59 PST


By Ryan Naraine
January 10, 2007

VeriSign's iDefense Labs has placed an $8,000 bounty on remote code 
execution holes in Windows Vista and Internet Explorer 7.

The Reston, Va., security intelligence outfit threw out the monetary 
reward to hackers as part of a challenge program aimed at luring 
researchers to its controversial pay-for-flaw VCP (Vulnerability 
Contributor Program).

The launch of the latest hacking challenge comes less than a month after 
researchers at Trend Micro discovered Vista flaws being hawked on 
underground sites at $50,000 a pop and illustrates the growth of the 
market for information on software vulnerabilities.

iDefense isn't the only brand-name player in the market. 3Com's 
TippingPoint runs a similar program, called Zero Day Initiative, that 
pays researchers who agree to give up exclusive rights to advance 
notification of unpublished vulnerabilities or exploit code.

The companies act as intermediaries in the disclosure processhandling 
the process of coordinating with the affected vendorand use the 
vulnerability information to beef up protection mechanisms in their own 
security software, which is sold to third parties.

"Both Microsoft Internet Explorer and Microsoft Windows dominate their 
respective markets, and it is not surprising that the decision to update 
to the current release of Internet Explorer 7.0 and/or Windows Vista is 
fraught with uncertainty. Primary in the minds of IT security 
professionals is the question of vulnerabilities that may be present in 
these two groundbreaking products," iDefense said in a note announcing 
the bounty.

The company said the motive of the challenge is to "help assuage this 

The rules are straightforward: iDefense will pay $8,000 for each 
submitted vulnerability that allows an attacker to remotely exploit and 
execute arbitrary code on either of the two Microsoft products.

Only the first submission for a given vulnerability will qualify for the 
payout, and iDefense will award no more than six payments of $8,000.

"If more than six submissions qualify, the earliest six submissions 
(based on submission date and time) will receive the award," the company 
said, stressing that the iDefense team at VeriSign will be responsible 
for making the final determination of whether or not a submission 
qualifies for the award.

To qualify, the vulnerability "must be remotely exploitable and must 
allow arbitrary code execution in a default installation of Vista or IE 
7.0. It [must] also exist in the latest version of the two products, 
with all available patches/upgrades applied."

Flaws in release candidate or beta versions do not qualify, and 
iDefense's rules make it clear that the vulnerability "must be original 
and not previously disclosed either publicly or to the vendor by another 

In addition to the $8,000 award for the flaw, iDefense will pay between 
$2,000 and $4,000, based on reliability, quality, readability and 
documentation, for working exploit code that exploits the submitted 
vulnerability. "The arbitrary code execution must be of an uploaded 
non-malicious payload. Submission of a malicious payload is grounds for 
disqualification from this phase of the challenge," the company said.

Microsoft typically frowns on the broker market for flaws in its 
products. "We do not believe that offering compensation for 
vulnerability information is the best way [researchers] can help protect 
customers," the company said during the last iDefense hacking challenge.

"Microsoft believes that responsible disclosure, which involves making 
sure that an update is available from software vendors the same day the 
vulnerability is first broadly known, is the best way to protect the end 
user," a Microsoft spokesperson, in Redmond, Wash., said at that time.

Subscribe to InfoSec News

This archive was generated by hypermail 2.1.3 : Wed Jan 10 2007 - 22:52:23 PST