-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I got an email from them, too. It's different than what choose.a.username posted. $400 ain't enough? how much is MSFT paying you right now for discovering bugs in their stuff? No worries...less moola for you, more for me :P It's about time! point of clarification: they didn't say money for 0-days....read through the email and website ... SG /BEGIN E-MAIL POST/ Greetings, iDEFENSE is pleased to announce the official launch of its Vulnerability Contributor Program (VCP). The VCP pays contributors for the advance notification of vulnerabilities, exploit code and malicious code. iDEFENSE hopes you might consider contributing to the VCP. The following provides answers to some basic questions about the program: Q. How will it work? A. iDEFENSE understands the majority of security researchers do not publish security research for compensation; rather, it could be for any of a number of motivations, including the following: * Pure love of security research * The desire to protect against harm to targeted networks * The desire to urge vendors to fix their products * The publicity that often accompanies disclosure The VCP is for those who want to have their research made public to the Internet community, but who would also like to be paid for doing the work.The compensation will depend, among other things, on the following items: * The kind of information being shared (i.e. vulnerability or exploit) * The amount of detail and analysis provided * The potential severity level for the information shared * The types of applications, operating systems, and other software and hardware potentially affected * Verification by iDEFENSE Labs * The level of exclusivity, if any, for data granted to iDEFENSE Q. Who should contribute to the VCP? A. The VCP is open to any individual, security research group or other entity. Q. Why are you launching this program? A. Timeliness remains a key aspect in security intelligence. Contributions to some lists take time before publication to the public at large. More often, many of these services charge clients for access without paying the original contributor. Under the iDEFENSE program, the contributor is compensated, iDEFENSE Labs verifies the issue, and iDEFENSE clients and the public at large are warned in a timely manner. Q. Who gets the credit? A. The contributor is always credited for discovering the vulnerability or exploit information. Q. When can I contribute? The VCP is active. You are welcome to begin contributing today. To learn more, go to http://www.idefense.com/contributor.html. If you have questions or would like to sign up as a contributor to the VCP, please contact us at contributorat_private /END E-MAIL POST/ >-----Original Message----- >From: choose.a.usernameat_private >[mailto:choose.a.usernameat_private] >Sent: Wednesday, August 07, 2002 2:11 PM >To: full-disclosureat_private >Cc: vuln-devat_private >Subject: [Full-Disclosure] IDEFENSE PAYING $$$ FOR VULNS > > > >Just received this spam from Idefense $400 US for a 0 day. Good idea but >that's not enough. MiCrowSoft is quick to tell everyone it costs $100,000 to >create a patch. Idefense should pay 10% of that to make it worthwhile. > >MONEY MONEY MONEY MONEY MONEY. Everyone's in it for a quick buck. > > >The iDEFENSE Vulnerability Contributor Program > >iDEFENSE is a global security intelligence company that proactively monitors >sources throughout the world - from technical vulnerabilities and hacker >profiling to the global spread of viruses and other malicious code. iALERT, >our security intelligence service, provides decision-makers, frontline >security professionals and network administrators with timely access to >actionable intelligence and decision support on cyber-related threats. > >iDEFENSE verifies vulnerabilities, examines the behavior of exploits and >other malicious code, and discovers new software/hardware weaknesses in a >controlled lab environment. We recognize that there is an abundance of >technical security knowledge concerning as-yet-undisclosed vulnerabilities, >exploits and malicious code that is constantly discovered and created by >individuals and security groups. Some of this information may see the light >of day on security mailing lists or are eventually disclosed as the result >of a post-mortem analysis of a compromised computer system. > >iDEFENSE's Vulnerability Contributor Program (VCP) is meant to appropriately >pays those who choose to provide advance information and copies of >vulnerabilities, exploits and malicious code that could be of interest. >Alternately, iDEFENSE can donate the funds to a charity of the contributor's >choice in their name. The chart below gives an outline of the maximum amount >payable. > > >Number of Contributions Value per undisclosed vulnerability Value per new >exploit for previously disclosed vulnerability Value per undisclosed >vulnerability AND accompanying exploit >EVALUATION PHASE > >1-3 up to $75 US up to $100 US up to $200 US >REGULAR CONTRIBUTOR >>4 up to $175 US up to $200 US up to $400 US > >The exact amount will depend on the following issues: > >* The kind of information being shared (i.e. vulnerability or exploit). >* How much detail is provided. >* The potential severity level for the information shared. >* What applications, operating systems, etc. are affected. >* iDEFENSE verification. >* What level of exclusivity, if any, for the data, is granted to iDEFENSE >(see below). >* Number of users of the affected application. > >A sample vulnerability submission template is available here. > >The contributor provides iDEFENSE with at least one week before he or she >discloses the vulnerability and/or exploit via any public forum, including >mailing lists and websites. During that period, iDEFENSE will not release >the information to any public forum. However, reports sent to iDEFENSE >customers will credit the contributor for the report. If the vendor(s) has >not been contacted by the contributor at the time of submission, iDEFENSE >will work with the contributor in deciding who and how the issue will be >reported to the vendor. iDEFENSE discloses vulnerabilities according to our >Security Vulnerability Reporting Policy. > >Situations will occur where multiple contributors will provide information >about the same vulnerability in the same product. In this case, the first >contributor who provides information that can be validated by iDEFENSE will >be compensated; others will not. > >To elaborate on levels of exclusivity, two levels offer potential >contributors the ability to maximize their compensation: > >Level 1: One week exclusive advance notice (Additional US $50) >The contributor provides only iDEFENSE with any sort of advanced notice >about the vulnerability and/or exploit. Afterwards, contributors are free to >distribute via a public forum and/or contact the vendor themselves. iDEFENSE >will not release the information to any public forum. Contributors will be >referenced in all reports sent to iDEFENSE clients. In addition, if the >vendor has not been contacted by the contributor, iDEFENSE will work with >the contributor to determine the appropriate process. If iDEFENSE identifies >on any forum a vulnerability and/or exploit similar to the one being >verified by iDEFENSE, no compensation will be provided. The information and >rights will be returned to the contributor. > >Level 2: Relinquish disclosure rights (Additional US $75) >The contributor provides iDEFENSE with exclusive disclosure rights to any >vulnerability and/or exploit. He or she chooses to never post the >vulnerability information to any other forum. iDEFENSE may release the >information to a public forum and/or iDEFENSE clients. Contributors will be >referenced in all reports sent to iDEFENSE clients. In addition, if the >vendor has not been contacted by the contributor, iDEFENSE will work with >the contributor to determine the appropriate process. If iDEFENSE identifies >on any forum a vulnerability and/or exploit similar to the one that is being >verified by iDEFENSE, no compensation will be provided at all. The >information and rights will be returned to the contributor. > >Payment is sent to the contributor via PayPal when the following conditions >have been met: > >1. The information has been verified to a reasonable degree by iDEFENSE. >2. A type of remuneration and amount has been agreed upon by iDEFENSE and >the contributor(s) for the information or code sharing. >3. Information disclosure issues and timing have been agreed upon by >iDEFENSE and the contributor(s). > >If iDEFENSE has received information from potential contributors, but the >above three issues cannot be resolved, iDEFENSE will not use the information >in any way, respecting the intellectual property and/or right of discovery >of the contributor. > >If you have questions or would like to sign up as a contributor to the VCP, >please send an e-mail to contributorat_private -----BEGIN PGP SIGNATURE----- Version: Hush 2.1 Note: This signature can be verified at https://www.hushtools.com wmEEARECACEFAj1RctcaHHNlY3VyaXR5Z3VydUBodXNobWFpbC5jb20ACgkQns+IF5jR p65GtgCgm/ZKkllFFRYA9k8Gf0iM1QaGTxMAnjc7ES/rVUCOrXz9iD0b+fQk3exI =ooX7 -----END PGP SIGNATURE----- Communicate in total privacy. Get your free encrypted email at https://www.hushmail.com/?l=2 Looking for a good deal on a domain name? http://www.hush.com/partners/offers.cgi?id=domainpeople _______________________________________________ Full-Disclosure - We believe in it. Full-Disclosureat_private http://lists.netsys.com/mailman/listinfo/full-disclosure
This archive was generated by hypermail 2b30 : Wed Aug 07 2002 - 13:31:44 PDT