iDefense announced that it will pay $10,000 to anyone who discovers a bug in a Microsoft product that results in a new Microsoft Security Bulletin with a severity rating of critical. But there's one slight catch: You must report your discovery by midnight March 31, 2006, Eastern Standard Time.
The company has paid for vulnerabilities reports for some time now. However iDefense is changing its tactics to some extent. A spokesperson for iDefense said, "Going forward, on a quarterly basis, we will select a new focus for the challenge and outline the rules for vulnerability discoveries that will qualify for the monetary rewards."
iDefense competes against a growing underground market for vulnerability reports and exploit code, where reports and code are sometimes sold the highest bidder and other times sold to everyone who can pay the asking price.
According to security vendor Kaspersky Lab, exploit code for the Windows Metafile (WMF) vulnerability, which came to light in December 2005, was being sold for before knowledge of the vulnerability became public.
"Around the middle of December, this exploit could be bought from a number of specialized sites. It seems that two or three competing hacker groups from Russia were selling this exploit for $4,000. One of the purchasers of the exploit is involved in the criminal adware/ spyware business, and it seems likely that this was how the exploit became public," a spokesperson for the company said. "We don't know who was the first \[person\] to discover the vulnerability. We only know who was involved in creating and distributing the exploit and subsequent modifications. The data we have, plus the Russian involvement, make it clear that information about the vulnerability was not passed to companies such as eEye or iDefense, which specialize in identifying vulnerabilities."
