The iDefense Vulnerability Contributor Program (VCP) compensates individuals who provide iDefense with advance notification of unpublished vulnerabilities and exploit code. Alternatively, iDefense can donate any earned funds to a charity of the contributor's choice in their name. There are currently more than 250 active VCP contributors.

Criteria

VCP payment amounts depend upon:

• the kind of information being shared (e.g., vulnerability, exploit code, etc.)
• the amount of detail provided
• the potential severity level of the information
• what applications, operating systems, etc., are affected
• iDefense verification of accuracy
• what level of exclusivity, if any, is granted to iDefense for the data (see below)
• the number of users of the affected application
• the potential value to iDefense customers

Contributors provide iDefense exclusively with advanced notice about the vulnerability or exploit code. If the vendor has not been previously contacted, iDefense will work with contributors to determine the appropriate process. After an agreed-upon amount of time has passed, contributors are free to distribute the submitted information to a public forum and/or contact the affected vendors themselves, assuming they have not already requested iDefense to do so. Contributors will be referenced in all public advisories or reports sent to iDefense customers, assuming they want their identity to be disclosed. If, during the verification process, iDefense identifies on any forum a vulnerability or exploit similar to that sent to iDefense, both the information and rights to it will be returned to contributors with no compensation provided.

For more information on this program, and for specifics concerning VCP rewards and incentives, read the VCP overview.