Price War: iDefense Doubles Bounty for Security Flaws

TippingPoint's entry into the market for buying software vulnerability information triggers an immediate reaction from the competition.

LAS VEGAS—The decision by 3Com Corp.s TippingPoint division to pay for the rights to information on software vulnerabilities has triggered an immediate response from iDefense Inc., the company that previously held a monopoly on the flaw bounty business.

Effective immediately, iDefense is doubling its pricing structure for vulnerability submissions and hiking the value of the incentive and retention reward programs.

/zimages/2/28571.gifPaying for flaws has been paying off for iDefense. Click here to read more.

In addition, the VeriSign-owned company announced the launch of a new growth reward program that offers lump sum payments for hackers who continue to increase their level of participation in the controversial VCP (Vulnerability Contribution Program).

The bounty increases come just days after TippingPoints launch of the Zero Day Initiative, a program that pays researchers for data on vulnerabilities. The company said ZDI will promote responsible disclosure by working closely with affected vendors to get patches created before the flaws are made public.

/zimages/2/28571.gifDoes paying for flaws undermine security? Click here to read more.

Neither company will say how much it pays for the flaw information, but Ziff Davis Internet News has learned that proof-of-concept exploit code for a code execution bug in a product like Microsoft Corp.s Internet Explorer browser could earn the flaw finder more than $6,000.

That price automatically doubles with iDefenses latest move, which is likely to prod TippingPoint into matching.

iDefense Labs Director Michael Sutton said the expansion of the VCP will immediately offer "substantively increase[ed] pricing."

"First off, effective immediately, we will be doubling our standard pricing structure for vulnerability submissions. As always, in order to obtain a price quote, we require that a contributor first submit a discovery to Once accepted, we will gladly provide a price quote and forward the appropriate contract," Sutton said in a notice posted on a popular security mailing list.

He also announced the sweetening of the pot for the iDefense rewards program, which provides an incentive to the top five contributors each year. The biggest contributor can now earn a $10,000 incentive, up from $5,000.

The iDefense incentive program, which rewards the top three vulnerability contributors each quarter, has also been increased by up to $2,000.

Sutton said a new Growth program will also be implemented to reward contributors who increase their level of participation in the VCP.

The burgeoning competition between iDefense and TippingPoint was being discussed in the hallways of the Black Hat Briefings here. TippingPoint is using the conference to drum up hacker interest in its new program and, for the most part, researchers welcomed the opportunity to earn money for flaw discoveries.

"If they keep upping the price, more power to us," said one researcher who has submitted vulnerabilities anonymously to iDefenses VCP. "Im pretty sure the highest bidder will win the day because these guys need to earn money."

Officials from Microsoft Corp.s security response center were also paying close attention to the news. In an interview, MSRC Director Kevin Kean said Microsoft supports any initiative that promotes the responsible disclosure of vulnerabilities.

"If its a program in place to allow us to get an update out to customers before it becomes a big risk, were happy to see that," Kean said.

"There are two things that we want. We want to know about the vulnerability as early as possible. And we want to know about it responsibly. If these companies report things to us in a responsible way and work closely with us to get customers protected, were happy."

Asked if Microsoft would consider a bounty program of its own, Kean said, "At this time, we dont think paying for vulnerabilities is what we should be doing."

/zimages/2/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzers Weblog.