The iDefense Vulnerability Contributor Program (VCP) began in 2002. The founders created the program when they realized that there exists an abundance of technical security knowledge concerning undisclosed vulnerabilities. This knowledge base is constantly being expanded by individuals and security groups. Some of this information may see the light of day on security mailing lists or eventually be disclosed as the result of a post-mortem analysis for a compromised computer system. iDefense created the VCP to compensate individuals who provide iDefense with advance notification of unpublished vulnerabilities and/or exploit code.
The iDefense VCP consists of two interrelated programs, the main program and an annual challenge. The main program focuses on actionable research submissions, presented to iDefense by the general public, defining new vulnerabilities and/or exploits uncovered in prominent enterprise-level software and infrastructure components. iDefense defines actionable as anything representing a significant threat of damage or compromise to its customers and/or the general public, thus requiring protective action. iDefense defines prominent software and components as anything known by iDefense to be in general use by its customers and/or known to be in widespread public use. iDefense will offer as much as $15,000 (US), depending on the nature of the vulnerability, for acceptable well-documented research with reliable proof-of-concept exploit code.
The iDefense VCP also compensates follow-up reports of 'failed' patches from the original contributor of the vulnerability. In such cases iDefense will offer up to 20% of the original research payment, depending on the nature of the vulnerability, documentation quality, and provided proof-of-concept code exploiting the 'failed' patch.
The iDefense Labs Annual VCP Challenge complements the main program by offering significant monetary prizes for the top four overall contributors to the iDefense Labs VCP and/or the top individual VCP submissions processed by iDefense within a calendar year. These prizes range from $5,000 to $50,000 and are awarded based on the thoroughness and severity of the submitted research.
Program Submission Criteria
The iDefense VCP compensates individuals or groups who provide the iDefense Labs Vulnerability Research Team (VRT) with advance notification of previously unpublished proof-of-concept vulnerability research and/or exploit code. In order to qualify for compensation, the contributor's submitted research must meet the following criteria:
- Research is completely original work that the contributor has not previously disclosed to any other party and that is not otherwise public knowledge.
- The VRT can verify all claims made by the contributor. The contributor's research must be reproducible by the VRT.
- The vulnerability is either:
- Remotely exploitable
- Locally exploitable for a kernel/OS (this includes libraries and tools that are part of the Standard Distribution for the kernel/OS) but does not require any 3rd party software. In other words, the vulnerability must be present in the operating system kernel, or in a tool that is commonly distributed with the operating system, not in drivers that come with 3rd party applications.
- The vulnerability allows arbitrary code execution, Denial of Service, or otherwise circumvents intended behavior of the affected target.
- The vulnerability exists in a currently supported version of the affected technology.
- NOTE: iDefense will not accept ‘RC' (Release candidate), ‘Beta', ‘Technology Preview' and similar pre-release versions of the targeted technology.
- iDefense judges every submission on a case-by-case basis, so please don't hesitate to submit something when you are unsure if it meets the acceptance criteria
iDefense is only interested in vulnerability research that leverages common software applications that tend to be used in most enterprises. These applications tend to come from both the closed source and open source communities. Some potential vendors are (but are not limited to)
Closed Source |
Open Source |
Adobe |
Apache Software Foundation |
Apple |
Common Linux Distributions |
Checkpoint |
Gnu |
CISCO |
Mozilla |
Citrix |
Sun |
IBM |
|
Microsoft |
|
Oracle |
|
PGP |
|
Sun |
|
Verisign |
|
The iDefense VRT will also cover vulnerabilities in software made by lesser-known vendors as long as it is a common tool used by most enterprises. The specific vendor is not a guarantee that the VRT will accept a vulnerability submission. The vendor name is simply one of several metrics that the VRT uses when deciding acceptable research.
Additionally, prominent vendors frequently make products that are of no interest to iDefense. For example, both Microsoft and IBM are very prominent vendors, but since they make such a wide array of products, some of which have extremely limited usage, iDefense will not necessarily be interested in all of the products from either of these companies.
iDefense is most interested in common enterprise level applications. Some potential applications are (but are not limited to)
Closed Source Applications |
Open Source Applications |
Adobe (Reader, Acrobat, Flash) |
Apache Web Server |
Apple Safari, iTunes, Mac OSX |
Fedora Linux |
Checkpoint Firewall |
GNU Debian Linux |
CISCO IOS |
Knopix Linux |
Citrix Metaframe |
Mozilla Firefox, Thunderbird |
Google (Cloud Computing applications and tools) |
Open SUSE Linux |
Firefox |
Sun MySql and OpenOffice |
IBM AIX / OS |
Ubuntu Linux |
Juniper Router OS |
|
Linux Enterprise (RedHat, SuSE, Debian) |
|
Microsoft Office Suite |
Security and Management Tools |
Microsoft Operating Systems (Exchange Server 2000/2003/2008, XP, Vista, Mobile) |
Checkpoint |
Microsoft SQL Server, IIS, SMS, ASP.NET |
HP NNM (formerly OpenView) |
Oracle Database |
IDS (ISS, TippingPoint, Juniper, Cisco, McAfee) |
Palm OS |
Snort |
PGP Encryption Platform |
|
RIM / BlackBerry OS |
Core Services (Any Prominent Source) |
Skype |
DNS / Bind |
Sun Solaris |
Java JRE |
Sybase |
PHP |
|
Postfix |
|
Qmail |
|
Sendmail |
|
SSH |
iDefense is not interested in fuzzing results without any thought behind how a researcher might leverage the information. It is important for the contributor to note that all submissions to the iDefense VCP which contain thorough and detailed analysis and/or verifiable mitigations will be rewarded at a higher level of compensation. In short, this means that the more thorough and clear your submission is, the more you can expect to earn for your efforts. For example, general code execution vulnerabilities are worth more than DoSs, and remote vulnerabilities are worth more than local.
Remember, these are guidelines, NOT steadfast rules that apply in every case, but they are good general indicators. There are always exceptions to the rules listed herein, so contributors should never hesitate to submit something if they feel it has a significant impact. The iDefense VRT always reserves the right to accept Contributions outside the normal scope of the VCP program's published guidelines, especially if the Contribution demonstrates a new technique, or provides some significant new and valuable insight and/or information.
Program Payment Considerations
The iDefense VCP offers payments for valuable contributed research as an incentive to researchers for submitting their work. These payments can range from hundreds to thousands of dollars (US$), depending on the nature and value of the contributed work.
More specifically, the payment amount offered to a contributor for a submission is based largely on the following criteria:
- The potential number of affected users the vulnerability may impact
- The VRT's estimated potential value to iDefense customers
- The VRT's estimate of the severity of the overall vulnerability
- The clarity and thoroughness of the contributed research
- The extent and clarity of included Proof-of-Concept code
- The extent and clarity of included mitigation research
Program Payment Methods
In an effort to accommodate the wide range of nationalities and locales particular to individual contributors, iDefense offers the following four methods of payment - please be advised that iDefense is not responsible for any fees assessed to the contributor by the selected payment processor.
Check – iDefense will send compensation checks to a physical mailing address or a post office box within the United States (USA). International checks are not available at this time.
Personal PayPal account – The iDefense VCP supports the use of a personal PayPal account for compensating contributors (or their designee) OUTSIDE THE US. This payment method is not currently available to US Residents.
Western Union – In order for iDefense to complete a Western Union transaction, we require the "real" name of the receiving party (you or your designee) along with the country and city where they wish to pick up their payment. The list of countries in which Western Union will deliver payments may be found on their website at www.westernunion.com.
Wire Transfer – iDefense can execute Wire transfers directly to a bank account. To make this possible, you must provide iDefense with the account holder's "real" name, the bank's name, the ABA/routing number of the bank (or SWIFT code if a non US bank), and the account number.
As an alternative to receiving compensation a contributor may, at their discretion, instruct iDefense to donate any earned funds to a charity of the contributor's choice anonymously or in their name.
iDefense will make every effort to respond within five business days (US) to all research submissions that include clear and thorough documentation and working reliable proof-of-concept exploit code. Other submissions may take as long as 30 calendar days to be reviewed.
If you have questions or would like to sign up as a contributor to the VCP, please contact us via email. If you prefer to use encryption you can download our public PGP Key.