Thanks to ThePitt for posting this in BPN.
VeriSign's iDefense Labs is offering money for remote code execution holes in Windows Vista and Internet Explorer 7 as a part of its pay-for-flaw VCP (Vulnerability Contributor Program) challenge. Via its Zero Day Initiative, 3Com's TippingPoint also pays researchers for exclusive rights to advance notification of unpublished vulnerabilities or exploit code. Once the companies have the vulnerability, they coordinate the process with the affected vendor, improve their own security software and resell it.
"Both Microsoft Internet Explorer and Microsoft Windows dominate their respective markets, and it is not surprising that the decision to update to the current release of Internet Explorer 7.0 and/or Windows Vista is fraught with uncertainty. Primary in the minds of IT security professionals is the question of vulnerabilities that may be present in these two groundbreaking products," iDefense said in a note announcing the bounty.
iDefense will pay $8,000, only up to six times, to the hacker that finds a unique vulnerability allowing an attacker to remotely exploit and execute arbitrary code on a default up-to-date and patched installation of either of the two Microsoft products. An extra sum between $2,000 and $4,000 (based on readability and documentation) will be offered for working exploit code that exploits the submitted vulnerability. Microsoft is not amused and believes an update for the software should be priority, not compensation for vulnerability information.
News source: eWeek