Culture

$10k bounty on 'critical' Microsoft flaws

Joris Evers Staff Writer, CNET News.com

Joris Evers covers security.

See full bio

Joris Evers

Feb. 16, 2006 3:19 p.m. PT

2 min read

Bug hunters of the world, iDefense has another opportunity for you to cash in.

The company, part of VeriSign, has expanded its with a new "quarterly hacking challenge."

For the current quarter, iDefense will pay $10,000 for each vulnerability submission that results in the publication of a with a severity rating of critical, it said in an e-mail to a popular security mailing list on Tuesday.

In order to qualify, the vulnerability must be submitted to iDefense by midnight Eastern Time on March 31. The awards will be paid out following the publication of the Microsoft Security Bulletin. The award will be in addition to iDefense's standard bug bounty, the company said.

Microsoft doesn't agree with paying for vulnerability details, a representative said Friday. "Microsoft works closely with many security research and security software companies and does not believe that offering compensation for vulnerability information is the best way they can help protect their customers," the representative said in an e-mailed statement.

A few companies offer rewards for pinpointing software vulnerabilities. These are mostly security companies that pay for flaws found in other companies' software products. The payouts are used to gain a competitive edge over rivals by having their security products recognize more vulnerabilities.

The focus of the hacking challenge will change on a quarterly basis, Michael Sutton, director of iDefense Labs, said in an e-mail interview Thursday. "We want to encourage our contributors to target their research in areas that are of interest to our clients," he said. "Our clients have let us know that critical Microsoft vulnerabilities are of great importance to them."

iDefense customers receive advance notification of vulnerability reports along with appropriate workarounds in lieu of vendor patches, Sutton said.

All security flaws reported to iDefense are subsequently reported to the affected vendors. iDefense works with those software makers to understand the issue so a fix can be produced, Sutton said. Last year iDefense worked on the disclosure of 150 vulnerabilites, he said.