VeriSign Puts Flaw Bounty on Vista and IE7

rchris1172 writes "VeriSign's iDefense Labs has placed an $8,000 bounty on remote code execution holes in Windows Vista and Internet Explorer 7. As part of its its controversial pay-for-flaw VCP (Vulnerability Contributor Program), iDefense said it will pay the reward for each submitted vulnerability that allows an attacker to remotely exploit and execute arbitrary code on either of the two Microsoft products. In addition to the $8,000 award for the flaw, iDefense will pay between $2,000 and $4,000 for working exploit code that exploits the submitted vulnerability."

Economics 101 or Why I Love Bounties

[WillAffleckUW]

1. Put bounty of $8000 on bugs for Vista and IE7.

2. Get friend to go work at MSFT.

.

4. PROFIT!

Moar money

[zecg]

"In addition to the $8,000 award for the flaw, iDefense will pay between $2,000 and $4,000 for working exploit code that exploits the submitted vulnerability."

The company spokesman also added they'll double the bounty if the submitter already used the exploit to build a botnet and triple it if promises to use it to send a metric assload of e-mails with the subject "ha-ha" to everyone@microsoft.com.

NOT the best business move!

[Arthur Dent '99]

Paying $8000 for each exploitable security flaw in Microsoft products is a quick way to put a company into bankruptcy! I noticed that the bounty only applies to the first six submissions, though, so VeriSign is only out $48000.

Who else here thinks that VeriSign will then turn around and sell the winning entries to the black market for $50000 each? hehe

The law on unintended consequences

[andersen]

Pointy Haired Boss: Our goal is to write bug-free software. I'll pay a ten dollar bonus for every bug you find and fix.
Dilbert: Yahoo!
Alice: We're rich
Wally: Yes!!! Yes!!! Yes!!!
Pointy Haired Boss: I hope this drives the right behavior.
Wally: I'm gonna write me a new minivan this afternoon!

http://www.ourlocalstyle.com/images/uploadImages/2 006/05/13/dilbert_bugFixMinivan.gif [ourlocalstyle.com]

Re:Economics 101 or Why I Love Bounties

[dreddnott]

I think the way that you would want to do it, and the way that the grandparent poster probably intended, is to have your friend work at Microsoft, put in his OWN bugs and holes in the code, and tell you what the vulnerabilities are so that YOU to write exploit code for it and get the money.

This would probably work until QA at Microsoft tracked down the singular source of most of the exploited vulnerabilities in the past few months.

Considering the number and regularity of vulnerabilities in Microsoft software recently, I wouldn't be surprised if one of their employees was already doing this, but selling them on the more lucrative black market instead.

Re:Not going to work

[Zonnald]

Dear Sir,

You have just won a new Boat!
Please come down to the stadium to pick it up.

Regards

Det. Sgt. Smith

Re:Economics 101 or Why I Love Bounties

[WillAffleckUW]

Quite right you are pointing out the missing step, here it is:

3. ???

Darn. Guess you get the US $8000 bounty. Now, let's see, that's about 2 Euros, right?

So Now I Can Legally Attempt To Compromise M$ ??

[TastyWheat]

And get paid for it??

Hax0r1ng is getting better all the time!
And they said we were just a bunch of internet hooligans.

muahahhaha

Re:Wonder what they're really worth?

[Anonymous Coward]

Too bad I have this silly fear of death

Yeah I wouldn't mess around with those Verisign guys either.....

In other news...

[MattPat]

...both Apple and Cisco are suing VeriSign for the use of iDefense in the name of their labs. Apple claims that it dilutes their brand identity, and Cisco claims that they've been selling "defense" hardware with the "i" trademark for years!

right, not all are Russian mafia

[r00t]

Some are working with the Russian military.

Re:Economics 101 or Why I Love Bounties

[Atario]

--------joke------------>

      O
     /|\      <--- you
      |
     / \