Less than a month after Trend Micro discovered Vista flaws being sold off for $50,000 in the underground market by hackers, VeriSign’s iDefense Labs has placed an $8,000 bounty on remote code execution holes in Windows Vista and Internet Explorer 7.
This is part of its three-year old Vulnerability Contributor Program which compensates individuals who provide iDefense with advance notification of unpublished vulnerabilities and/or exploit code.
3Com’s Zero Day Initiative is a similar program.
The first submission on any vulnerability of the above two products wins $8000 to a max of six payments. The vulnerability “must be remotely exploitable and must allow arbitrary code execution in a default installation of Vista or IE 7.0. It [must] also exist in the latest version of the two products, with all available patches/upgrades applied.”
These reward programs weren’t been well received by Microsoft. Again what remains to be seen is how the information received by iDefence and 3Com are actually going to be used.
If they responsibly alert the appropriate vendors, in this case Microsoft, then there shouldn’t be an issue as a patch can be released even before the exploits begin.