Slashdot Mirror

← Back to Stories (view on slashdot.org)

VeriSign Puts Flaw Bounty on Vista and IE7

Posted by samzenpus on from the bug-money dept.

rchris1172 writes "VeriSign's iDefense Labs has placed an $8,000 bounty on remote code execution holes in Windows Vista and Internet Explorer 7. As part of its its controversial pay-for-flaw VCP (Vulnerability Contributor Program), iDefense said it will pay the reward for each submitted vulnerability that allows an attacker to remotely exploit and execute arbitrary code on either of the two Microsoft products. In addition to the $8,000 award for the flaw, iDefense will pay between $2,000 and $4,000 for working exploit code that exploits the submitted vulnerability."

13 of 91 comments (clear)

  1. Effective... by clifgriffin · · Score: 5, Insightful

    While others may scoff at 8,000 dollars, people are spending hundreds of hours on projects that are bringing in much less if anything. This is a good way to give people healthy motivation and reveal vulnerabilities early...before they make headlines.

    So, not so stupid. Unlike most of the posts on this article so far.

    --
    clifgriffin > blog
    1. Re:Effective... by LoudMusic · · Score: 4, Insightful

      While others may scoff at 8,000 dollars, people are spending hundreds of hours on projects that are bringing in much less if anything. This is a good way to give people healthy motivation and reveal vulnerabilities early...before they make headlines.

      So, not so stupid. Unlike most of the posts on this article so far. Except that not everyone, in fact very few, will eventually be given a reward while hundreds of thousands of individuals spend possibly hundreds of hours each searching for flaws.

      What it's really doing is getting those hundreds of thousands of individuals to do someone else's (Microsoft's) job for them for damn near free.
      --
      No sig for you. YOU GET NO SIG!
    2. Re:Effective... by Eskarel · · Score: 2, Insightful

      If hundreds of thousands of individuals spend hundreds of hours searching for bugs and only a very few find anything they can cash in, then Microsoft has already done it's job. Verisign just wants to make sure they have.

  2. Re:Economics 101 or Why I Love Bounties by Drawkcab · · Score: 4, Insightful

    What would you be offering in that equation that would lead to profit for you rather than your friend? Finding exploits is non-trivial even with the code in front of you. And if the guy is working at Microsoft with full access to the source repository and a talent for spotting this sort of thing, they're already making at least $8000 a month anyway (which they don't have to split with you), and could probably be amply rewarded in their career if they made a habit of finding and fixing those exploits.

  3. Sounds like a low figure by Hyram+Graff · · Score: 2, Insightful

    $8000 might sound like a lot until you compare it to the stories we see of vulnerabilities being sold for $50,000 on underground sites. Why should I sell my findings to them for a much smaller amount?

    --
    0*0
    00*
    ***
    1. Re:Sounds like a low figure by w33t · · Score: 2, Insightful
      Why should I sell my findings to them for a much smaller amount?

      If you can help someone and get payed 8 dollars, or hurt someone and get 50 dollars, what would you do?

      I think it's good that there is any compensation at all for white hats who would otherwise recieve no compensation at all for doing the least harmful thing. It would be nice if the rewards for help were on par with harm, but helping is reward in itself for some - and a bit extra reward helps the motivation.
      --
      My Computer Music Tutorial Videos
    2. Re:Sounds like a low figure by Onymous+Coward · · Score: 2, Insightful

      Exactly.

      Perhaps eBay is the appropriate way to monetize on this kind of research.

      I'm joking. Quit agreeing.

  4. Re:Only 8k? by w33t · · Score: 2, Insightful
    Only 8k for bugs which go on the market for 15-100k each exploit? Surely you jest, no self righteous will go for such a scam.

    Then perhaps the simply righteous will step up.
    --
    My Computer Music Tutorial Videos
  5. Oh, please by lawrenlives · · Score: 2, Insightful

    I'd like to think not everyone involved in the "field" is a scumbag criminal in cahoots with the Russian mafia. Go ahead, prove me wrong! Despite the seemingly faceless nature of corporations, it's always human beings like you and me that get screwed in the end.

    --
    Frankly, I prefer the company of nitwits.
  6. Re:Four Steps to Profit by Sosarian · · Score: 2, Insightful

    Microsoft is in the habit of knowing about bugs but won't fix because if it's not out in the wild.

    They could turn in bugs they already know about :)

  7. Re:Only 8k? by jt2377 · · Score: 1, Insightful

    you're legally getting pay for the bug that you report. those black market seller and buyer if caught, can face jail time with your new jail mate bubba. you better hope you don't drop your soap during shower.

  8. Pfft by Tom · · Score: 2, Insightful

    What a cheap publicity stunt.

    A 0day of this kind is worth at least twice that on the black market, mostly to the botnet creators who are the base of all the spam we get.

    --
    Assorted stuff I do sometimes: Lemuria.org
  9. "perhaps the simply righteous will step up" by tlambert · · Score: 2, Insightful

    "perhaps the simply righteous will step up"

    Yeah, and "the righteous" could code, then there wouldn't be any exploits in the first place. 8-).

    -- Terry