Mailing List Archive

Just received this spam from Idefense $400 US for a 0 day. Good idea but that's not enough. MiCrowSoft is quick to tell everyone it costs $100,000 to create a patch. Idefense should pay 10% of that to make it worthwhile.

MONEY MONEY MONEY MONEY MONEY. Everyone's in it for a quick buck.


The iDEFENSE Vulnerability Contributor Program

iDEFENSE is a global security intelligence company that proactively monitors sources throughout the world — from technical vulnerabilities and hacker profiling to the global spread of viruses and other malicious code. iALERT, our security intelligence service, provides decision-makers, frontline security professionals and network administrators with timely access to actionable intelligence and decision support on cyber-related threats.

iDEFENSE verifies vulnerabilities, examines the behavior of exploits and other malicious code, and discovers new software/hardware weaknesses in a controlled lab environment. We recognize that there is an abundance of technical security knowledge concerning as-yet-undisclosed vulnerabilities, exploits and malicious code that is constantly discovered and created by individuals and security groups. Some of this information may see the light of day on security mailing lists or are eventually disclosed as the result of a post-mortem analysis of a compromised computer system.

iDEFENSE's Vulnerability Contributor Program (VCP) is meant to appropriately pays those who choose to provide advance information and copies of vulnerabilities, exploits and malicious code that could be of interest. Alternately, iDEFENSE can donate the funds to a charity of the contributor’s choice in their name. The chart below gives an outline of the maximum amount payable.


Number of Contributions Value per undisclosed vulnerability Value per new exploit for previously disclosed vulnerability Value per undisclosed vulnerability AND accompanying exploit
EVALUATION PHASE

1-3 up to $75 US up to $100 US up to $200 US
REGULAR CONTRIBUTOR
>4 up to $175 US up to $200 US up to $400 US

The exact amount will depend on the following issues:

• The kind of information being shared (i.e. vulnerability or exploit).
• How much detail is provided.
• The potential severity level for the information shared.
• What applications, operating systems, etc. are affected.
• iDEFENSE verification.
• What level of exclusivity, if any, for the data, is granted to iDEFENSE (see below).
• Number of users of the affected application.

A sample vulnerability submission template is available here.

The contributor provides iDEFENSE with at least one week before he or she discloses the vulnerability and/or exploit via any public forum, including mailing lists and websites. During that period, iDEFENSE will not release the information to any public forum. However, reports sent to iDEFENSE customers will credit the contributor for the report. If the vendor(s) has not been contacted by the contributor at the time of submission, iDEFENSE will work with the contributor in deciding who and how the issue will be reported to the vendor. iDEFENSE discloses vulnerabilities according to our Security Vulnerability Reporting Policy.

Situations will occur where multiple contributors will provide information about the same vulnerability in the same product. In this case, the first contributor who provides information that can be validated by iDEFENSE will be compensated; others will not.

To elaborate on levels of exclusivity, two levels offer potential contributors the ability to maximize their compensation:

Level 1: One week exclusive advance notice (Additional US $50)
The contributor provides only iDEFENSE with any sort of advanced notice about the vulnerability and/or exploit. Afterwards, contributors are free to distribute via a public forum and/or contact the vendor themselves. iDEFENSE will not release the information to any public forum. Contributors will be referenced in all reports sent to iDEFENSE clients. In addition, if the vendor has not been contacted by the contributor, iDEFENSE will work with the contributor to determine the appropriate process. If iDEFENSE identifies on any forum a vulnerability and/or exploit similar to the one being verified by iDEFENSE, no compensation will be provided. The information and rights will be returned to the contributor.

Level 2: Relinquish disclosure rights (Additional US $75)
The contributor provides iDEFENSE with exclusive disclosure rights to any vulnerability and/or exploit. He or she chooses to never post the vulnerability information to any other forum. iDEFENSE may release the information to a public forum and/or iDEFENSE clients. Contributors will be referenced in all reports sent to iDEFENSE clients. In addition, if the vendor has not been contacted by the contributor, iDEFENSE will work with the contributor to determine the appropriate process. If iDEFENSE identifies on any forum a vulnerability and/or exploit similar to the one that is being verified by iDEFENSE, no compensation will be provided at all. The information and rights will be returned to the contributor.

Payment is sent to the contributor via PayPal when the following conditions have been met:

1. The information has been verified to a reasonable degree by iDEFENSE.
2. A type of remuneration and amount has been agreed upon by iDEFENSE and the contributor(s) for the information or code sharing.
3. Information disclosure issues and timing have been agreed upon by iDEFENSE and the contributor(s).

If iDEFENSE has received information from potential contributors, but the above three issues cannot be resolved, iDEFENSE will not use the information in any way, respecting the intellectual property and/or right of discovery of the contributor.

If you have questions or would like to sign up as a contributor to the VCP, please send an e-mail to contributor@idefense.com.



Communicate in total privacy.
Get your free encrypted email at https://www.hushmail.com/?l=2

Looking for a good deal on a domain name? http://www.hush.com/partners/offers.cgi?id=domainpeople