iDefense ups the bidding for bugs

One day after a rival announces it will pay for details on security bugs, iDefense says it will double its payouts.

Joris Evers
Joris Evers Staff Writer, CNET News.com
Joris Evers covers security.
3 min read
LAS VEGAS--Security intelligence company iDefense has sweetened its offer to hackers who sell it details on new software vulnerabilities. The change comes one day after rival TippingPoint started to offer rewards for pinpointing bugs.

Both security specialists are vying to be the first to know about vulnerabilities in companies' products. The idea is to gain a competitive edge by having security products that recognize more vulnerabilities that may be exploited in cyberattacks.

In an e-mail Tuesday to the popular Full Disclosure security mailing list, iDefense announced that it is doubling its payments for vulnerability submissions. Additionally, the company is increasing rewards to researchers who contribute regularly and now offers extra payouts to those who increase their submissions year over year, the e-mail said.

Money has increasingly become an incentive for hackers. Programs such those from TippingPoint and iDefense offer a legitimate way for them to get paid for their bug hunting. There is also an underground market for information on vulnerabilities. Cybercriminals pay top dollar for previously undisclosed flaws that they can exploit to break into computer systems, experts have said.

iDefense said it did not make the changes in response to TippingPoint's competition, but to underscore its commitment to the program after being acquired by VeriSign two weeks ago. "However, it turns out that the timing is also good in that it helps us straddle the new competition," said Michael Sutton, a lab director at iDefense.

Both iDefense and TippingPoint work with the person reporting a bug to disclose it to the maker of the faulty software so a fix can be produced.

Only a few companies pay security researchers for finding software vulnerabilities. iDefense's Vulnerability Contributor Program has been around for three years. TippingPoint, part of 3Com, announced its Zero Day Initiative on Monday and will celebrate the launch Wednesday at the Black Hat security conference in Las Vegas.

TippingPoint will also try to sell its program to researchers at Black Hat, which runs through Thursday. Both companies will also market their programs at the Defcon hacker event, which begins Friday.

Neither company discloses what amounts are paid for vulnerability information. However, Gael Delalleau, a French security researcher who has sold information to iDefense in the past, told CNET News.com that the payout is typically between $300 and $1,000, depending on the vulnerability.

"That's less than a day's worth of consulting," he said in an e-mail interview.

Delalleau welcomes TippingPoint's Zero Day Initiative as competition for the iDefense program. Security researchers might be able to get a fair price for their work now, he said. "I feel the amount should be at least equal to the time necessary to find and work on the vulnerability, with an hourly rate equal to that of a skilled consultant."

TippingPoint is not surprised by the competition. "There already was competition," said David Endler, director of security research at TippingPoint, also noting the underground market. "At the end of the day, the security researcher is going to be the winner."

Response to the programs has been mixed among security researchers. While Delalleau applauds the competition for adding to security intelligence, others distrust the security companies and wonder whether exploiting flaws or selling them to criminal hackers could be too much of a lure.

"Can the security companies truly be trusted to diligently help to find a fix when their product is, by its very nature, dependent on insecure applications?" said Keith McCanless, a security researcher who has been credited with finding security flaws in various products.

Emmanouel Kellinis, a security researcher in London, said he is certain many researchers would consider the programs if they can get paid. "On the other hand, there is a possibility that they can make more money by exploiting a vulnerability," he said.