Wanted: Critical Windows Flaw ... Reward: $10,000
iDefense, the Reston, Va.-based vulnerability research company recently bought up by Verisign Inc., is offering $10,000 to any hackers who can find a previously unknown security hole in Microsoft's Windows operating system.
Here's the catch: The flaw must earn a "critical" rating from Redmond (Microsoft rates security holes as critical if they could be used by a computer worm to spread without any action on the part of the user). Details of the flaw must be submitted exclusively to iDefense by March 31. There is no limit on the number of prizes that can be paid: if five researchers find and report five different Windows flaws for which Microsoft later issues critical advisories, all five will get paid. More details are here.
Michael Sutton, director of iDefense Labs, said the company opted to focus the hacking challenge on Microsoft because most of its clients "are heavy Microsoft shops and we wanted to target this initiative to align with their interests." iDefense will change the focus of the challenge with each quarter, Sutton said -- the next challenge may focus on another vendor, or it may just center on particular class of vulnerabilities. So far, Sutton said, the company has received a number of inquiries from researchers since it launched the program on Tuesday.
The reward money is the latest expansion of iDefense's controversial vulnerability contributor program, which pays security researchers to submit findings about new vulnerabilities in popular software products. iDefense doesn't discuss how much it pays for flaws, but the amount varies from a few hundred bucks to thousands of dollars, depending on the severity of the vulnerability and the popularity of the software product. The company then works with the affected vendor on developing a fix for the problem.
A few other security companies have similar vulnerability reward programs. 3Com's TippingPoint last summer launched its "Zero Day Initiative," and other security companies, including Argeniss and Gleg, also have been known to pay for information about previously unknown vulnerabilities. Mozilla also offers $500 Bug Bounty for each original critical flaw researchers report about its products.
Supporters of bug-reward programs say the incentives are aimed at people in the hacker underground who might otherwise sell the information to other bad guys or post it online for anyone to use. Critics of the practice say it undermines the notion of responsibly reporting flaws directly to the software makers and creates an environment where vendors can be held at ransom.
I'm sure there are plenty of people who will disagree with me, but I've never heard a really compelling case for why companies shouldn't pay researchers to submit bug information. Most of the arguments I've heard against the practice are more emotional than anything else, accusing companies like iDefense of contracting out their own research or not playing by the unwritten rules of the security research community.
The reality is that there is an underground marketplace for security flaws. I would not be surprised if an unpatched, critical Windows flaw could sell for far more than $10,000 in certain digital dark circles. An entity acting on behalf of a national government might be very willing to pay for such information for espionage purposes. Organized hacking and phishing groups also might find it worthwhile to spend a little money in order to make a lot more.
In fact, earlier this month the Russian anti-virus company Kaspersky Lab reported that computer code used to exploit the critical WMF flaw that Microsoft patched in January was sold on the underground for $4,000 by Russian hacker groups who apparently didn't know they could have gotten much more for the code.
As long as the companies buying vulnerabilities don't release details about the flaws until the vendors have issued patches -- and they don't encourage the development of exploits through their programs -- I don't see the real harm.
Microsoft folks I have spoken with have told me privately that Hell will freeze over before Redmond would consider paying outside researchers to find security bugs. I have always suggested that it might be cheaper in the long run if Microsoft further incentivized researchers to report their findings (which they're going to dig up regardless) responsibly to Microsoft instead of offering $250,000 bounties for the head of a virus writer that picks on Microsoft.
Posted by: Ivailo | August 23, 2006 2:06 PM | Report abuse
Posted by: Raznoe | September 25, 2006 5:44 PM | Report abuse
The comments to this entry are closed.