Money For Vista, IE Bugs

Money For Vista, IE Bugs

The race to pick holes in Microsoft's newest operating system and browser is on.

VeriSign's iDefense Labs has kicked off its Vulnerability Contributor Program (VCP), a challenge to find remote arbitrary code execution vulnerabilities in Vista and Internet Explorer 7.0. VCP will pay $8,000 for the first six confirmed vulnerabilities.

It will pay an additional $2,000 to $4,000 for those who also provide working exploit code for the submitted vulnerability, bringing the total potential bounty to $12,000.

IDefense is looking for vulnerabilities that are remotely exploitable and allow arbitrary code execution without additional user interaction (like clicking an e-mail attachment for example). Social engineering and other attacks that require the user to do something other than actually just browsing a site are not valid for this contest.

IDefense expects to receive well more than six reports of vulnerabilities, but iDefense spokesman Jason Greenwood said the VCP stops at six because of budget constraints.

"We receive hundreds of vulnerability research submissions each month as part of our normal contributor program," Greenwood told internetnews.com. "We expect to get many more than six submissions that may qualify for this promotion."

Microsoft does not endorse the challenge, and Greenwood said the company has not contacted VeriSign about the challenge. "We have a close working relationship with Microsoft and responsibly make them aware of vulnerabilities as we discover them," Greenwood said.

That's not to say that Microsoft isn't aware of the iDefense challenge.

A Microsoft spokesperson told internetnews.com that Microsoft is aware of iDefense offering compensation for information regarding security vulnerabilities. The spokesperson added that Microsoft does not offer compensation for information regarding security vulnerabilities and does not encourage that practice.

"Our policy is to credit security researchers who report vulnerabilities to us in a responsible manner," the spokesperson said.

Though Microsoft will not pay for vulnerabilities, it won't ignore the vulnerabilities exposed by the challenge, either.

"Microsoft doesn't want to speculate on the motives of third-party researchers but will say it is committed to working with them closely on the issues they bring to our attention," the spokesperson said. "Whoever handles vulnerabilities, Microsoft does encourage them to responsibly disclose the vulnerability to the affected software vendor in order to protect all customers/users."

VeriSign's iDefense customers, however, may well get the leg up on Vista and IE7 vulnerabilities, ahead of regular Microsoft users.

"Early notification of vulnerabilities is just one aspect of the research the iDefense team does," iDefense's Greenwood said. "Our customers will benefit from the challenge by knowing about potential threats before they are exploited and giving them information to assess the potential risk prior to a patch being put out by Microsoft."

By Sean Michael Kerner Internetnews.com