Slashdot Mirror

← Back to Stories (view on slashdot.org)

VeriSign Puts Flaw Bounty on Vista and IE7

Posted by samzenpus on from the bug-money dept.

rchris1172 writes "VeriSign's iDefense Labs has placed an $8,000 bounty on remote code execution holes in Windows Vista and Internet Explorer 7. As part of its its controversial pay-for-flaw VCP (Vulnerability Contributor Program), iDefense said it will pay the reward for each submitted vulnerability that allows an attacker to remotely exploit and execute arbitrary code on either of the two Microsoft products. In addition to the $8,000 award for the flaw, iDefense will pay between $2,000 and $4,000 for working exploit code that exploits the submitted vulnerability."

12 of 91 comments (clear)

  1. Only 8k? by Anonymous Coward · · Score: 5, Interesting

    Only 8k for bugs which go on the market for 15-100k each exploit? Surely you jest, no self righteous will go for such a scam.

  2. Economics 101 or Why I Love Bounties by WillAffleckUW · · Score: 4, Funny

    1. Put bounty of $8000 on bugs for Vista and IE7.

    2. Get friend to go work at MSFT.

    .

    4. PROFIT!

    --
    -- Tigger warning: This post may contain tiggers! --
    1. Re:Economics 101 or Why I Love Bounties by Drawkcab · · Score: 4, Insightful

      What would you be offering in that equation that would lead to profit for you rather than your friend? Finding exploits is non-trivial even with the code in front of you. And if the guy is working at Microsoft with full access to the source repository and a talent for spotting this sort of thing, they're already making at least $8000 a month anyway (which they don't have to split with you), and could probably be amply rewarded in their career if they made a habit of finding and fixing those exploits.

    2. Re:Economics 101 or Why I Love Bounties by Atario · · Score: 4, Funny

      --------joke------------>

            O
           /|\      <--- you
            |
           / \

      --
      "A great democracy must be progressive or it will soon cease to be a great democracy." --Theodore Roosevelt
  3. Effective... by clifgriffin · · Score: 5, Insightful

    While others may scoff at 8,000 dollars, people are spending hundreds of hours on projects that are bringing in much less if anything. This is a good way to give people healthy motivation and reveal vulnerabilities early...before they make headlines.

    So, not so stupid. Unlike most of the posts on this article so far.

    --
    clifgriffin > blog
    1. Re:Effective... by LoudMusic · · Score: 4, Insightful

      While others may scoff at 8,000 dollars, people are spending hundreds of hours on projects that are bringing in much less if anything. This is a good way to give people healthy motivation and reveal vulnerabilities early...before they make headlines.

      So, not so stupid. Unlike most of the posts on this article so far. Except that not everyone, in fact very few, will eventually be given a reward while hundreds of thousands of individuals spend possibly hundreds of hours each searching for flaws.

      What it's really doing is getting those hundreds of thousands of individuals to do someone else's (Microsoft's) job for them for damn near free.
      --
      No sig for you. YOU GET NO SIG!
  4. Moar money by zecg · · Score: 5, Funny

    "In addition to the $8,000 award for the flaw, iDefense will pay between $2,000 and $4,000 for working exploit code that exploits the submitted vulnerability."

    The company spokesman also added they'll double the bounty if the submitter already used the exploit to build a botnet and triple it if promises to use it to send a metric assload of e-mails with the subject "ha-ha" to everyone@microsoft.com.

    --
    .i lu doi ringos.star. xu do puku'aroroi dunli dopecaku leni virnu li'u
  5. Re:Four Steps to Profit by __aaclcg7560 · · Score: 4, Informative

    Didn't you read the fine print... current/former Microsoft employees not allowed. Otherwise, every anonymous coward at Microsoft would get the same idea and sabotage Vista/IE7 to collect the reward. Crime isn't supposed to pay if you're non-monopolist!

  6. Not going to work by AngryDad · · Score: 5, Interesting

    iDefense ask you to provide all your background information, names, addressess, telephones, photocopies of IDs, etc. Most people who can find vulnerabilities will not be willing to sacrifice their privacy. When iDefence and alike will only ask for e-mail address to paypal funds to, I'd be first in line to talk to them.

  7. NOT the best business move! by Arthur+Dent+'99 · · Score: 5, Funny

    Paying $8000 for each exploitable security flaw in Microsoft products is a quick way to put a company into bankruptcy! I noticed that the bounty only applies to the first six submissions, though, so VeriSign is only out $48000.

    Who else here thinks that VeriSign will then turn around and sell the winning entries to the black market for $50000 each? hehe

  8. The law on unintended consequences by andersen · · Score: 4, Funny

    Pointy Haired Boss: Our goal is to write bug-free software. I'll pay a ten dollar bonus for every bug you find and fix.
    Dilbert: Yahoo!
    Alice: We're rich
    Wally: Yes!!! Yes!!! Yes!!!
    Pointy Haired Boss: I hope this drives the right behavior.
    Wally: I'm gonna write me a new minivan this afternoon!

    http://www.ourlocalstyle.com/images/uploadImages/2 006/05/13/dilbert_bugFixMinivan.gif

    --
    -Erik -- --This message was written using 73% post-consumer electrons--
  9. Re:Wonder what they're really worth? by Anonymous Coward · · Score: 5, Funny

    Too bad I have this silly fear of death Yeah I wouldn't mess around with those Verisign guys either.....