Vulnerability Contributor Program // iDefense Labs

07.07.2008 | STERLING, VA Sterling, VA, USA

| | | | | | |

VULNERABILITY CONTRIBUTOR PROGRAM

Home // VCP // Vulnerability Contributor Program

The iDefense Vulnerability Contributor Program (VCP) began in 2002. The founders created the program when they realized that there exists an abundance of technical security knowledge concerning undisclosed vulnerabilities. This knowledge base is constantly being expanded by individuals and security groups. Some of this information may see the light of day on security mailing lists or eventually be disclosed as the result of a post-mortem analysis for a compromised computer system. iDefense created the VCP to compensate individuals who provide iDefense with advance notification of unpublished vulnerabilities and/or exploit code.

The iDefense VCP consists of two interrelated programs, the main program and an annual challenge. The main program focuses on actionable research submissions, presented to iDefense by the general public, defining new vulnerabilities and/or exploits uncovered in prominent enterprise-level software and infrastructure components. iDefense defines actionable as anything representing a significant threat of damage or compromise to its customers and/or the general public, thus requiring protective action. iDefense defines prominent software and components as anything known by iDefense to be in general use by its customers and/or known to be in widespread public use. iDefense will offer as much as $15,000 (US), depending on the nature of the vulnerability, for acceptable well-documented research with reliable proof-of-concept exploit code.

The iDefense annual challenge complements the main program by offering significant monetary prizes for the top four VCP submissions made public by iDefense within a calendar year. These prizes range from $5,000 to $50,000 and are awarded based on the thoroughness and severity of the submitted research.

Program Submission Criteria
The iDefense VCP compensates individuals or groups who provide the iDefense Labs VRT with advance notification of previously unpublished proof-of-concept vulnerability research and/or exploit code. In order to qualify for compensation, the contributor's submitted research must meet the following criteria:

Research is completely original work that the contributor has not previously disclosed to any other party and that is not otherwise public knowledge.
The VRT can verify all claims made by the contributor. The contributor's research must be reproducible by the VRT.
The vulnerability is either:
1. Remotely exploitable
2. Locally exploitable for a kernel/OS (this includes libraries and tools that are part of the Standard Distribution for the kernel/OS) but does not require any 3rd party software. In other words, the vulnerability must be present in the operating system kernel, or in a tool that is commonly distributed with the operating system, not in drivers that come with 3rd party applications.

The vulnerability allows arbitrary code execution, Denial of Service, or otherwise circumvents intended behavior of the affected target.
The vulnerability exists in a currently supported version of the affected technology.
NOTE: iDefense will not accept ‘RC' (Release candidate), ‘Beta', ‘Technology Preview' and similar pre-release versions of the targeted technology.
iDefense judges every submission on a case-by-case basis, so please don't hesitate to submit something when you are unsure if it meets the acceptance criteria

iDefense is only interested in vulnerability research that leverages common software applications that tend to be used in most enterprises. These applications tend to come from both the closed source and open source communities. Some potential vendors are (but are not limited to)

Closed Source	Open Source
Adobe	Apache Software Foundation
Apple	Common Linux Distributions
Checkpoint	Gnu
CISCO	Mozilla
Citrix	Sun
IBM
Microsoft
Oracle
PGP
Sun
Verisign

The iDefense VRT will also cover vulnerabilities in software made by lesser-known vendors as long as it is a common tool used by most enterprises. The specific vendor is not a guarantee that the VRT will accept a vulnerability submission. The vendor name is simply one of several metrics that the VRT uses when deciding acceptable research.

Additionally, prominent vendors frequently make products that are of no interest to iDefense. For example, both Microsoft and IBM are very prominent vendors, but since they make such a wide array of products, some of which have extremely limited usage, iDefense will not necessarily be interested in all of the products from either of these companies.

iDefense is most interested in common enterprise level applications. Some potential applications are (but are not limited to)

Closed Source Applications	Open Source Applications
Adobe (Reader, Acrobat, Flash)
Apple Safari, iTunes, Mac OSX	Apache Web Server
Checkpoint Firewall	Fedora Linux
CISCO IOS	GNU Debian Linux
Citrix Metaframe	Knopix Linux
Firefox	Mozilla Firefox, Thunderbird
IBM AIX / OS	Open SUSE Linux
Juniper Router OS	Sun MySql and OpenOffice
Linux Enterprise (RedHat, SuSE, Debian)	Ubuntu Linux
Microsoft Office Suite	Security and Management Tools
Microsoft Operating Systems (Exchange Server 2000/2003/2008, XP, Vista, Mobile)	Checkpoint
Microsoft SQL Server, IIS, SMS, ASP.NET	HP NNM (formerly OpenView)
Oracle Database	IDS (ISS, TippingPoint, Juniper, Cisco, McAfee)
Palm OS	Snort
PGP Encryption Platform	Core Services (Any Prominent Source)
RIM / BlackBerry OS	DNS / Bind
Skype	Java JRE
Sun Solaris	PHP
Sybase	Postfix
	Qmail
	Sendmail
	SSH

iDefense is not interested fuzzing results without any thought behind how a researcher might leverage the information. It is important for the contributor to note that all submissions to the iDefense VCP which contain thorough and detailed analysis and/or verifiable mitigations will be rewarded at a higher level of compensation. In short, this means that the more thorough and clear your submission is, the more you can expect to earn for your efforts. For example, general code execution vulnerabilities are worth more than DoS's, and remote vulnerabilities are worth more than local.

Remember, these are guidelines, NOT steadfast rules that apply in every case, but they are good general indicators. There are always exceptions to the rules listed herein, so contributors should never hesitate to submit something if they feel it has a significant impact. The iDefense VRT always reserves the right to accept Contributions outside the normal scope of the VCP program's published guidelines, especially if the Contribution demonstrates a new technique, or provides some significant new and valuable insight and/or information.

Program Payment Considerations
The iDefense VCP offers payments for valuable contributed research as an incentive to researchers for submitting their work. These payments can range from hundreds to thousands of dollars (US$), depending on the nature and value of the contributed work.
More specifically, the payment amount offered to a contributor for a submission is based largely on the following criteria:

The potential number of affected users the vulnerability may impact
The VRT's estimated potential value to iDefense customers
The VRT's estimate of the severity of the overall vulnerability
The clarity and thoroughness of the contributed research
The extent and clarity of included Proof-of-Concept code
The extent and clarity of included mitigation research

Program Payment Methods
In an effort to accommodate the wide range of nationalities and locales particular to individual contributors, iDefense offers the following four methods of payment - please be advised that iDefense is not responsible for any fees assessed to the contributor by the selected payment processor.

Check – iDefense will send compensation checks to a physical mailing address or a post office box within the United States (USA). International checks are not available at this time.

Personal PayPal account – The iDefense VCP supports the use of a personal PayPal account for compensating contributors (or their designee).

Western Union – In order for iDefense to complete a Western Union transaction, we require the "real" name of the receiving party (you or your designee) along with the country and city where they wish to pick up their payment. The list of countries in which Western Union will deliver payments may be found on their website at www.westernunion.com.

Wire Transfer – iDefense can execute Wire transfers directly to a bank account. To make this possible, you must provide iDefense with the account holder's "real" name, the bank's name, the ABA/routing number of the bank (or SWIFT code if a non US bank), and the account number.

As an alternative to receiving compensation a contributor may, at their discretion, instruct iDefense to donate any earned funds to a charity of the contributor's choice anonymously or in their name.

iDefense will make every effort to respond within five business days (US) to all research submissions that include clear and thorough documentation and working reliable proof-of-concept exploit code. Other submissions may take as long as 30 calendar days to be reviewed.

If you have questions or would like to sign up as a contributor to the VCP, please contact us via email. If you prefer to use encryption you can download our public PGP Key.

// VCP

Program Overview

Vulnerability Challenge

Join the VCP

Vulnerability Submission

If you can read this text, it is likely that you either have JavaScript disabled or your browser does not support JavaScript.
This will compromise your browsing experience and it is recommended that you enable JavaScript.

Click here to dismiss this warning.

If you continue to see this message, you should add "*.idefense.com" to your cookie whitelist.
You can read more about cookies in our privacy policy.

Title:	Vulnerability Contributor Program
URL:	vcp/index.php
To:
From:
	You may add notes or comments below:
	Send me a copy of this email
	Anti-spam Validation:
	Privacy Statement