VCP
  |
  DOWNLOADS
  |
  PRESENTATIONS
  |
  CURRENT INTELLIGENCE
  |
  SERVICES
  |
  METHODOLOGY
  |
  NEWS & EVENTS
  |
  ABOUT
 
iDEFENSE  REDEFINES VULNERABILITY RESEARCH (AGAIN)
iDEFENSE  REDEFINES VULNERABILITY RESEARCH (AGAIN)
iDEFENSE  REDEFINES VULNERABILITY RESEARCH (AGAIN)
 Home // News // Press Releases // iDefense Redefines Vulnerability Research (Again)
Email This Page URL  Print This Page

iDefense Press Release: iDefense Redefines Vulnerability Research (Again)

July 2, 2008

Summary:
VeriSign's iDefense Labs today announced a major overhaul to its Vulnerability Contributor Program (VCP). Changes include a re-structuring of the program's compensation guidelines to offer as much as $15,000 for well-researched, high-impact vulnerabilities; streamlining of the program requirements and guidelines; announcement of an on-going "face lift" of the iDefense Labs website; and the re-invention of the Contributor Challenge Program, highlighted by its $50,000 annual grand prize for the most substantial vulnerability contributed each year.

Back in 2002, iDefense shook up the industry by creating the Vulnerability Contributor Program (VCP). At the time, the idea of offering a bounty for vulnerabilities was considered somewhat radical.  Now that the idea has gained industry acceptance, iDefense believes it is time to take it to the next level.  The first step in this evolution was the appointment, in April 2008, of Andrew Scholnick as the new Director for the iDefense Labs.  Bringing over 25 years of experience with networks, security, communications, and internet innovation to The Labs, Mr. Scholnick's first major act is the announcement today of a series of updates to the iDefense VCP.

iDefense Labs listens to its contributors!

Over the past year, there have been a growing number of requests from iDefense contributors to make the VCP and Challenge programs more financially rewarding and easier to participate in.  Starting July 1, 2008, iDefense will begin implementing several changes designed to address these and other contributing researcher requests.

Improved Overall Compensation

First and foremost among the changes iDefense has made is the restructuring of the research compensation algorithm for contributed vulnerabilities. As of July 1, 2008, iDefense is revising both the overall acceptance criteria and the associated compensation guidelines used to determine how much money to offer for research of interest. Contributors will notice two things as a result of this:

  • A greater demand for significant high-quality research
  • A substantial increase in compensation offered for research, up to $15,000 for the best documented research submissions that contain working and reliable proof-of-concept exploit code

$50,000 Challenge Grand Prize

As of July 1, 2008, the VCP Challenge program will offer an annual top prize of $50,000 for the best contributed vulnerability purchased by the iDefense Labs through the VCP. Three other prizes will be offered ($25,000, $10,000 and $5,000) for other outstanding vulnerability contributions.  For a full explanation of the new annual challenge, keep your eyes on http://labs.idefense.com/vcp/challenge.php.

No Complicated 'Rewards' System

In reevaluating the various aspects of the VCP, it became obvious that the rewards programs were not achieving the desired effect.  Many contributors commented that they would prefer a larger up-front payment for their research to the promise of potential additional rewards later.  In response, iDefense Labs has eliminated the Rewards Programs and increased its up-front payment amounts by up to 50 percent.

New Submission Process


Login Screen

VCP Portal Login Page

In August 2008, iDefense Labs will unveil an entirely new mechanism for submitting vulnerability research, the VCP Portal.  More details about this new mechanism will be provided soon, including information regarding expedited account creation, portal features and functionality.

General Changes

In the coming months, the iDefense Labs website and the new VCP Portal will undergo an evolution introducing new information resources, tools and general features to improve the functionality and efficiency of the sites.  While iDefense will occasionally announce the more significant changes, many smaller modifications may be added without any such fanfare.  For this reason we suggest our contributors check periodically to see what is new.

iDefense Quotes:

"The purpose of the iDefense VCP program is to help our customers and the general public stay ahead of the bad guys.  This means two things; First, we must be able to attract the attention of people who uncover vulnerabilities independently, and encourage them to submit their findings to us, rather than simply dropping their findings in the public domain, or worse, selling them to people of lesser ethical standing; Second, we need to make sure we keep our submission process simple and handle payments quickly and efficiently, to ensure that our independent vulnerability contributors continue to be motivated to come to iDefense first.  These initial program changes are designed to do just that."
- Andrew Scholnick, Director, iDefense Labs

"In the coming months, customers and contributors can expect to see many more advancements in the way responsible independent vulnerability research is performed.  Beginning with the changes being announced today, and following up with the introduction of our VCP submission portal this August, the iDefense Lab plans to redefine and advance the state of the art yet again.  In the coming year we will continue the process by honing this new functionality and continuing to introduce new innovations that facilitate the science of vulnerability research."
- Andrew Scholnick, Director, iDefense Labs