iDefense Labs' first quarter 2007 Vulnerability Challenge is targeted at those who can find particular bugs in Windows Vista and Microsoft Internet Explorer (IE) 7.0. The company is offering between $8,000 and $12,000 for a new discovery and between $2,000 and $4,000 for a working exploit of that vulnerability, depending on the quality.

According to the Vulnerability Challenge rules (at the URL below), "The vulnerability must be remotely exploitable and must allow arbitrary code execution in a default installation of one of the technologies listed above." Furthermore, "the vulnerability must exist in the latest version of the affected technology with all available patches/upgrades applied," and "the vulnerability must not require additional social engineering beyond browsing a malicious site."

http://labs.idefense.com/vcp/challenge.php

iDefense (a VeriSign company) profits from these challenges by reselling the vulnerability data to its customers and from the publicity the challenges generate.

Black hats sell vulnerability information too. You've probably read news stories about people attempting to sell vulnerabilities of the caliber desired by iDefense on various Internet sites. These black hats often claim that they'll sell a working exploit to the highest bidder (they sometimes have a reserve price that they won't go below). One story I read said that a black hat offered to sell an exploit for $50,000. That's a lot of money for working exploit code.

People who buy such exploit code undoubtedly expect to profit from it somehow, most likely through some type of theft or fraud. So if sellers of exploit code can get that kind of money, or even half that much, and buyers can make their money back by using the exploit code, then the potential takers of iDefense's challenge will be either white hats or those who don't have a vehicle to sell their vulnerability information.

Fortunately, some people will sell their work to iDefense simply because they don't want to see their discoveries used to exploit innocent people, and that's a great motive. But I think we need to keep in mind that many discovers of security vulnerabilities don't care about innocent people--what they care about is personal gain. Seen in that light, iDefense's offer of a maximum of $12,000 seems rather low and might not attract people who discover the most serious vulnerabilities.

Other companies offering bug bounties include 3Com (at the first URL below) and Mozilla Foundation (at the second URL below). 3Com's Zero Day Initiative is a points program in which the more bugs you submit, the more points you receive. You trade points for benefits such as cash and travel to security conferences. Mozilla Foundation pays a flat fee of $500 for a bug found in Mozilla software, plus you get a T-shirt.

http://www.zerodayinitiative.com

http://www.mozilla.org/security/bug-bounty.html

All three of these programs have been under way for quite some time now and are successful to some extent or other. The question in my mind is why hasn't Microsoft instituted a similar program? I think it would be a great addition to the company's current efforts at making their products more secure.