iDefense Q3 2006 $10,000 Vulnerability Challenge - Web Browsers

After reading about the Digital Armaments challenge I found it difficult to believe that iDefense wouldn't offer, or have offered, something similar. Sure enough here it is. Unfortunately, thanks to the flash, I can't give you a direct link, you have to click on the "Q3 2006" bar on that page. So the way it worked was that during Q3 2006 (ending Sept 30th at midnight) they would pay you a $10,000 bonus for remote, non-social-engineering, exploits against IE 6, FF 1.5, Safari 2, or Opera 9 (I'm assuming the IBM DB Universal Database 8.2 is a accidental holdover from the previous quarter's database challenge…but what do I know? Maybe it has a web browser easter-egg!). That's a $10k bonus on top of what they would have paid you for it anyway based on their established criteria of severity. Also there could be up to 6 prizes awarded (as opposed to the 3 for the current quarter's challenge against IM clients).

So, when considering what this contest means in terms of future browser exploits, we can make some educated guesses. The most recent advisories issued by iDefense have vendor notification dates somewhere between 1 and 2 months prior. Therefore we might expect to see the fruits of this contest for the next month or so. Thus far, a single browser-vulnerability has been released, the Opera heap overflow that I discussed here. One wonders whether a possible $10k check factored into the decision of the author to remain anonymous and not take credit for the exploit.

As with the Digital Armaments contest, the iDefense one clearly indicates that client-side exploits are an important threat which is only beginning to be dealt with.