VeriSign Puts Flaw Bounty on Vista and IE7 91
rchris1172 writes "VeriSign's iDefense Labs has placed an $8,000 bounty on remote code execution holes in Windows Vista and Internet Explorer 7. As part of its its controversial pay-for-flaw VCP (Vulnerability Contributor Program), iDefense said it will pay the reward for each submitted vulnerability that allows an attacker to remotely exploit and execute arbitrary code on either of the two Microsoft products. In addition to the $8,000 award for the flaw, iDefense will pay between $2,000 and $4,000 for working exploit code that exploits the submitted vulnerability."
Effective... (Score:5, Insightful)
So, not so stupid. Unlike most of the posts on this article so far.
Re:Economics 101 or Why I Love Bounties (Score:5, Insightful)
Sounds like a low figure (Score:2, Insightful)
$8000 might sound like a lot until you compare it to the stories we see of vulnerabilities being sold for $50,000 on underground sites. Why should I sell my findings to them for a much smaller amount?
Re:Only 8k? (Score:3, Insightful)
Then perhaps the simply righteous will step up.
Re:Sounds like a low figure (Score:3, Insightful)
If you can help someone and get payed 8 dollars, or hurt someone and get 50 dollars, what would you do?
I think it's good that there is any compensation at all for white hats who would otherwise recieve no compensation at all for doing the least harmful thing. It would be nice if the rewards for help were on par with harm, but helping is reward in itself for some - and a bit extra reward helps the motivation.
Re:Effective... (Score:5, Insightful)
So, not so stupid. Unlike most of the posts on this article so far.
What it's really doing is getting those hundreds of thousands of individuals to do someone else's (Microsoft's) job for them for damn near free.
Oh, please (Score:2, Insightful)
Re:Four Steps to Profit (Score:3, Insightful)
They could turn in bugs they already know about
Re:Effective... (Score:3, Insightful)
Re:Only 8k? (Score:1, Insightful)
Pfft (Score:3, Insightful)
A 0day of this kind is worth at least twice that on the black market, mostly to the botnet creators who are the base of all the spam we get.
"perhaps the simply righteous will step up" (Score:3, Insightful)
Yeah, and "the righteous" could code, then there wouldn't be any exploits in the first place. 8-).
-- Terry
Re:Sounds like a low figure (Score:2, Insightful)
Perhaps eBay is the appropriate way to monetize on this kind of research.
I'm joking. Quit agreeing.