IDEFENSE PAYING $$$ FOR VULNS

[full-disclosure () lists netsys com (full-disclosure () lists netsys com)]

Just received this spam from Idefense $400 US for a 0 day.  Good idea but that's not enough. MiCrowSoft is quick to 
tell everyone it costs $100,000 to create a patch. Idefense should pay 10% of that to make it worthwhile.

MONEY MONEY MONEY MONEY MONEY. Everyone's in it for a quick buck.


The iDEFENSE Vulnerability Contributor Program

iDEFENSE is a global security intelligence company that proactively monitors sources throughout the world — from 
technical vulnerabilities and hacker profiling to the global spread of viruses and other malicious code. iALERT, our 
security intelligence service, provides decision-makers, frontline security professionals and network administrators 
with timely access to actionable intelligence and decision support on cyber-related threats. 

iDEFENSE verifies vulnerabilities, examines the behavior of exploits and other malicious code, and discovers new 
software/hardware weaknesses in a controlled lab environment. We recognize that there is an abundance of technical 
security knowledge concerning as-yet-undisclosed vulnerabilities, exploits and malicious code that is constantly 
discovered and created by individuals and security groups. Some of this information may see the light of day on 
security mailing lists or are eventually disclosed as the result of a post-mortem analysis of a compromised computer 
system. 

iDEFENSE's Vulnerability Contributor Program (VCP) is meant to appropriately pays those who choose to provide advance 
information and copies of vulnerabilities, exploits and malicious code that could be of interest. Alternately, iDEFENSE 
can donate the funds to a charity of the contributor’s choice in their name. The chart below gives an outline of the 
maximum amount payable. 


Number of Contributions Value per undisclosed vulnerability Value per new exploit for previously disclosed 
vulnerability Value per undisclosed vulnerability AND accompanying exploit  
EVALUATION PHASE
 
1-3 up to $75 US  up to $100 US  up to $200 US  
REGULAR CONTRIBUTOR 
> 4 up to $175 US  up to $200 US  up to $400 US 

The exact amount will depend on the following issues: 

• The kind of information being shared (i.e. vulnerability or exploit). 
• How much detail is provided. 
• The potential severity level for the information shared. 
• What applications, operating systems, etc. are affected. 
• iDEFENSE verification. 
• What level of exclusivity, if any, for the data, is granted to iDEFENSE (see below). 
• Number of users of the affected application. 

A sample vulnerability submission template is available here.

The contributor provides iDEFENSE with at least one week before he or she discloses the vulnerability and/or exploit 
via any public forum, including mailing lists and websites. During that period, iDEFENSE will not release the 
information to any public forum. However, reports sent to iDEFENSE customers will credit the contributor for the 
report. If the vendor(s) has not been contacted by the contributor at the time of submission, iDEFENSE will work with 
the contributor in deciding who and how the issue will be reported to the vendor. iDEFENSE discloses vulnerabilities 
according to our Security Vulnerability Reporting Policy.

Situations will occur where multiple contributors will provide information about the same vulnerability in the same 
product. In this case, the first contributor who provides information that can be validated by iDEFENSE will be 
compensated; others will not.

To elaborate on levels of exclusivity, two levels offer potential contributors the ability to maximize their 
compensation:  

Level 1: One week exclusive advance notice (Additional US $50)
The contributor provides only iDEFENSE with any sort of advanced notice about the vulnerability and/or exploit. 
Afterwards, contributors are free to distribute via a public forum and/or contact the vendor themselves. iDEFENSE will 
not release the information to any public forum. Contributors will be referenced in all reports sent to iDEFENSE 
clients. In addition, if the vendor has not been contacted by the contributor, iDEFENSE will work with the contributor 
to determine the appropriate process. If iDEFENSE identifies on any forum a vulnerability and/or exploit similar to the 
one being verified by iDEFENSE, no compensation will be provided. The information and rights will be returned to the 
contributor. 

Level 2: Relinquish disclosure rights (Additional US $75)
The contributor provides iDEFENSE with exclusive disclosure rights to any vulnerability and/or exploit. He or she 
chooses to never post the vulnerability information to any other forum. iDEFENSE may release the information to a 
public forum and/or iDEFENSE clients. Contributors will be referenced in all reports sent to iDEFENSE clients. In 
addition, if the vendor has not been contacted by the contributor, iDEFENSE will work with the contributor to determine 
the appropriate process. If iDEFENSE identifies on any forum a vulnerability and/or exploit similar to the one that is 
being verified by iDEFENSE, no compensation will be provided at all. The information and rights will be returned to the 
contributor. 

Payment is sent to the contributor via PayPal when the following conditions have been met:

1. The information has been verified to a reasonable degree by iDEFENSE. 
2. A type of remuneration and amount has been agreed upon by iDEFENSE and the contributor(s) for the information or 
code sharing. 
3. Information disclosure issues and timing have been agreed upon by iDEFENSE and the contributor(s). 

If iDEFENSE has received information from potential contributors, but the above three issues cannot be resolved, 
iDEFENSE will not use the information in any way, respecting the intellectual property and/or right of discovery of the 
contributor.

If you have questions or would like to sign up as a contributor to the VCP, please send an e-mail to contributor () 
idefense com.



Communicate in total privacy.
Get your free encrypted email at https://www.hushmail.com/?l=2

Looking for a good deal on a domain name? http://www.hush.com/partners/offers.cgi?id=domainpeople