A private company has placed a $20,000 bounty on exploitable vulnerabilities in Microsoft’s Windows operating system, a move that significantly raises the value of software flaw research.
Billed as a Hacker Challenge, the $20,000 “special prize” is being offered by Digital Armaments, one of several companies that pay hackers who agree to give them exclusive rights to advance notification of unpublished vulnerabilities or exploit code.
Digital Armaments said the bounty will be available for each submission that results in an exploitable vulnerability or working exploit against Windows or a Windows Diffuse application. To qualify, the flaw data must include examples and documentation, the company said.
Not much is known about the people behind Digital Armaments. The company’s Web site does not include any details about its backers or its whereabouts.
This is not the first high-priced flaw data bounty from Digital Armaments, which previously offered hacking challenges for bugs in the Symbian OS, Oracle Database and VMware.
VeriSign’s iDefense VCP (Vulnerability Contributor Program) has also placed a public price tag on flaws and exploits in specific products. In December 2007, the company offered between $8,000 and $12,000 for remote arbitrary code execution holes in these e-mail clients and servers:
“Microsoft OutlookMozilla ThunderbirdMicrosoft Outlook ExpressSendmail SMTP daemonMicrosoft Exchange Server“
In the past, iDefense has offered monetary prizes for holes in Windows Vista and Internet Explorer 7.