Challenge Focus: Most Significant Contributed Vulnerabilities of the Year
Challenge Year: 2008
Grand Prize Amount: $50,000
First Prize Amount: $25,000
Second Prize Amount: $10,000
Third Prize Amount: $5,000
Submission Deadline: Before Midnight EST on December 31, 2008

Vulnerability Challenge:
All prize candidates are subject to the following requirements:

• The vulnerability must be original findings presented in original work that had not been previously disclosed to any other party.
• The vulnerability is satisfactorily verified and accepted by the Vulnerability Research Team (VRT).  The contributor’s research must be reproducible by the VRT.
• The vulnerability cannot be caused by or require any additional third party software installed on the target system.
• The vulnerability exists in a currently supported version of the affected technology with all available patches and/or upgrades applied.
• The vulnerability requires little or no social engineering (Little or no Social Engineering includes opening a single document, reading/previewing an email, viewing a website, etc.).
• The vulnerability must be clearly and thoroughly documented by the Contributor.  Submitted research with poor or no documentation will not qualify for challenge prizes.

Challenge Prizes:

• Grand Prize
• $50,000 (USD)
• Transportation and lodging to the official iDefense VCP Awards Ceremony (to be held at an industry conference of our choosing).
• Admission to the conference at which the iDefense VCP Awards Ceremony is held
• First Prize
• $25,000 (USD)
• Transportation and lodging to the official iDefense VCP Awards Ceremony (to be held at an industry conference of our choosing).
• Admission to the conference at which the iDefense VCP Awards Ceremony is held
• Second Prize
• $10,000 (USD)
• Third Prize
• $5,000 (USD) 

Additional Information:
Prior to 2008, the old Challenge Program had awarded cash prizes for the best research submission targeting a specific technology over a 90 day period. Many iDefense VCP contributors had complained that 90 days was simply not enough time to properly research a good vulnerability, and informed the VCP that more time was needed. Recognizing that this was a fundamentally valid assertion, iDefense decided to ‘take the hint’ and restructure the entire iDefense VCP Challenge Program.

As of July 1, 2008 the new VCP Challenge Program takes effect, considering all qualifying research submissions through the end of the calendar year (31 December). Thereafter, the Challenge will consider all qualifying research accepted and compensated by the VCP Program that were received between the first day of January and the last day of December in each subsequent year. Following the acceptance deadline the iDefense Labs VRT will determine the winners and award the prizes. iDefense will award all cash prizes within thirty (30) days of the Challenge deadline. Under no circumstances will any submission be considered for any of the current year’s Challenge prizes if the contributor has not accepted the iDefense VCP’s offer for compensation for the submission.

Challenge Focus: Remote Arbitrary Code Execution Vulnerabilities in Select E-Mail Clients and Servers
Time Period: Q4 2007
Prize Amount: $8,000 - $12,000
Number of Awards: Six
Submission Deadline: Before Midnight EST on December 31, 2007

Vulnerability Challenge:
E-mail is a valuable asset to corporations, but it also poses a significant threat. While e-mail filtering, blacklisting, whitelisting, and other approaches attempt to tame the e-mail beast, the fact is that unwanted (and sometime malicious) e-mail is being continuously delivered to the desktop via e-mail servers and e-mail clients. The following technologies are the focus of this challenge:

• Microsoft Outlook
• Mozilla Thunderbird
• Microsoft Outlook Express
• Sendmail SMTP daemon
• Microsoft Exchange Server

iDefense will pay $8,000 for each submitted vulnerability that allows an attacker to remotely exploit and execute arbitrary code on any of the covered technologies listed above. Only the first submission for a given vulnerability will qualify for the award, and iDefense will award no more than six challenge payments of $8,000. If more than six submissions qualify, the earliest six submissions (based on submission date and time) will receive the award. The iDefense Team at VeriSign will be responsible for making the final determination of whether or not a submission qualifies for the award. The criteria for this phase of the challenge are:

• The vulnerability must be remotely exploitable and must allow arbitrary code execution in a typical installation of one of the technologies listed above. In the context of this challenge only, exploitation includes the act of exploiting an e-mail client by opening the e-mail message with the default handler. No social engineering is allowed.
• The vulnerability must exist in the latest version of the affected technology with all available patches and/or upgrades applied, except that Microsoft Outlook 2003, because of its de facto presence on the corporate desktop, will be considered as well.
• ‘RC’ (Release candidate), ‘Beta’, ‘Technology Preview’ and similar versions of the listed technologies are not included in this challenge
• The vulnerability must be original and not previously disclosed to any party
• The vulnerability cannot be caused by or require any additional third party software installed on the target system
• The vulnerability must not require any social engineering

Working Exploit Challenge:
In addition to the $8,000 award for the submitted vulnerability, iDefense will pay from $1,000 to $4,000 for proof-of-concept exploit code that exploits the submitted vulnerability. The arbitrary code execution must be of an uploaded non-malicious payload. The base award for a working exploit is $1,000. In addition to the base award, additional amounts up to $4,000 may be awarded based upon:

• Reliability of the exploit
• Quality of the exploit code
• Readability of the exploit code
• Documentation of the exploit code

Challenge Focus: Remote Arbitrary Code Execution Vulnerabilities in Select Critical Internet Infrastructure Applications
Time Period: Q2 & Q3 2007
Prize Amount: $16,000 - $24,000
Number of Awards: Six
Submission Deadline: Before Midnight EDT on September 30, 2007

Vulnerability Challenge:
This challenge sets the bar quite high, focusing on core Internet technologies likely to be in use in corporate enterprises. Because of this, we are merging Q2 and Q3 challenges into one, effectively extending the research time. The following technologies are the focus of this challenge:

• Apache httpd
• Berkeley Internet Name Domain (BIND) daemon
• Sendmail SMTP daemon
• OpenSSH sshd
• Microsoft Internet Information (IIS) Server
• Microsoft Exchange Server

iDefense will pay $16,000 for each submitted vulnerability that demonstrates the execution of arbitrary code in any of the covered technologies listed above. Only the first submission for a given vulnerability will qualify for the award, and iDefense will award no more than three challenge payments of $16,000. If more than six submissions qualify, the earliest six submissions (based on submission date and time) will receive the award. The iDefense Team at VeriSign will be responsible for making the final determination of whether or not a submission qualifies for the award. The criteria for this phase of the challenge are:

• The vulnerability must be remotely exploitable and must allow arbitrary code execution in a typical installation of one of the technologies listed above
• The vulnerability must exist in the latest version of the affected technology with all available patches and/or upgrades applied
• ‘RC’ (Release candidate), ‘Beta’, ‘Technology Preview’ and similar versions of the listed technologies are not included in this challenge
• The vulnerability must be original and not previously disclosed to any party
• The vulnerability cannot be caused by or require any additional third party software installed on the target system
• The vulnerability must not require any social engineering

Working Exploit Challenge:
In addition to the $16,000 award for the submitted vulnerability, iDefense will pay from $2,000 to $8,000 for proof-of-concept exploit code that exploits the submitted vulnerability.

The base award for a working exploit is $2,000. In addition to the base award, additional amounts up to $4,000 may be awarded based upon:

• Reliability of the exploit
• Quality of the exploit code
• Readability of the exploit code
• Documentation of the exploit code

GOOD HUNTING!

Challenge Focus: Remote Arbitrary Code Execution Vulnerabilities in Vista & IE 7.0
Time Period: Q1, 2007
Prize Amount: $8,000 - $12,000
Submission Deadline: Before Midnight EST on March 31, 2007

Vulnerability Challenge:
Both Microsoft Internet Explorer and Microsoft Windows dominate their respective markets, and it is not surprising that the decision to update to the current release of Internet Explorer 7.0 and/or Windows Vista is fraught with uncertainty. Primary in the minds of IT security professionals is the question of vulnerabilities that may be present in these two groundbreaking products.

To help assuage this uncertainty, iDefense Labs is pleased to announce the Q1, 2007 quarterly challenge. iDefense will pay $8,000 for each submitted vulnerability that allows an attacker to remotely exploit and execute arbitrary code on either of these two products. Only the first submission for a given vulnerability will qualify for the award, and iDefense will award no more than six payments of $8,000. If more than six submissions qualify, the earliest six submissions (based on submission date and time) will receive the award. The iDefense Team at VeriSign will be responsible for making the final determination of whether or not a submission qualifies for the award. The criteria for this phase of the challenge are:

• Technologies Covered:
  
  • Microsoft Internet Explorer 7.0
  • Microsoft Windows Vista
• Vulnerability Challenge Ground Rules:
  
  • The vulnerability must be remotely exploitable and must allow arbitrary code execution in a default installation of one of the technologies listed above
  • The vulnerability must exist in the latest version of the affected technology with all available patches/upgrades applied
  • ‘RC’ (Release candidate), ‘Beta’, ‘Technology Preview’ and similar versions of the listed technologies are not included in this challenge
  • The vulnerability must be original and not previously disclosed either publicly or to the vendor by another party
  • The vulnerability cannot be caused by or require any additional third party software installed on the target system
  • The vulnerability must not require additional social engineering beyond browsing a malicious site

Working Exploit Challenge:
In addition to the $8,000 award for the submitted vulnerability, iDefense will pay from $2,000 to $4,000 for working exploit code that exploits the submitted vulnerability. The arbitrary code execution must be of an uploaded non-malicious payload. Submission of a malicious payload is grounds for disqualification from this phase of the challenge.

• Technologies Covered:
  
  • Microsoft Internet Explorer 7.0
  • Microsoft Windows Vista
• Working Exploit Challenge Ground Rules:
  Working exploit code must be for the submitted vulnerability only - iDefense will not consider exploit code for existing vulnerabilities or new vulnerabilities submitted by others. iDefense will consider one and only one working exploit for each original vulnerability submitted.
  
  The minimum award for a working exploit is $2,000. In addition to the base award, additional amounts up to $4,000 may be awarded based upon:
  
  • Reliability of the exploit
  • Quality of the exploit code
  • Readability of the exploit code
  • Documentation of the exploit code

Challenge Focus: Instant Messaging Applications
Time Period: Q4, 2006
Prize Amount: $10,000
Submission Deadline: Before Midnight EST on December 31, 2006

Challenge:
iDefense Labs is pleased to announce the launch of the next installment in our quarterly vulnerability challenge. For the 4th quarter, we are going to focus on instant messaging (IM) based vulnerabilities.

For submissions received before midnight on 31 December 2006, iDefense Labs will pay $10,000 for each vulnerability submission resulting in the discovery of a remotely exploitable IM vulnerability that meets the following criteria:

• Technologies Covered:
  
  • Microsoft MSN Messenger
  • Microsoft Windows Messenger [ Instant messaging only, NOT Windows Messaging Service ]
  • ICQ
  • AOL Instant Messenger
  • Google Talk
  • Apple iChat
  • Yahoo! Messenger
• The vulnerability must be remotely exploitable, allowing arbitrary code execution on the targeted machine, in a default installation of one of the technologies listed above.
• The vulnerability must exist in the latest version of the affected technology with all available patches/upgrades applied
• ‘RC’ (Release candidate), ‘Beta’, ‘Technology Preview’ and similar versions of the listed technologies are not included in this challenge.
• The vulnerability must be original and not previously disclosed either publicly or to the vendor by another party.
• The vulnerability cannot be caused by or require any additional third party software installed on the target system.
• The vulnerability must not require any additional social engineering or user interaction such as visiting a malicious web site, clicking a link, or accepting a dialog message.

In order to qualify, the submission must include a full working exploit, be sent during the current quarter and be received by midnight EST on December 31, 2006.

The $10,000 prizes will be paid out following confirmation with the affected vendor and will be paid in addition to any amount paid for the vulnerability when it is first accepted.

Only the initial submission for a given vulnerability will qualify for the reward and a maximum of three awards will be paid out. Should more than three submissions qualify, the first three submissions will receive the reward. VeriSign will be responsible for making the final determination of whether or not a submission qualifies for the award.

Challenge Focus: Web Browsers
Time Period: Q3, 2006
Prize Amount: $10,000
Submission Deadline: Before Midnight EST on September 30, 2006

Challenge:
iDefense Labs is pleased to announce the launch of next installment in our quarterly vulnerability challenge. For the third quarter of 2006, we’ll focus on browser based vulnerabilities, a topic which has been receiving plenty of attention lately with a steady increase in client side vulnerabilities which lend themselves to phising and identity theft attacks. For submissions received before September 30, 2006, iDefense Labs will pay $10,000 for each vulnerability submission that results in the discovery of a remotely exploitable web browser vulnerability that meets the following criteria.

• Technologies Covered:
  
  • Microsoft Internet Explorer 6.0
  • Mozilla Firefox 1.5 (or latest)
  • Apple Safari 2.0
  • Opera 9
• The vulnerability must be remotely exploitable, allowing arbitrary code execution on the targeted machine, in a default installation of one of the technologies listed above
• The vulnerability must exist in the latest version of the affected technology with all available patches/upgrades applied
• ‘RC’ (Release candidate), ‘Beta’, ‘Technology Preview’ and similar versions of the listed technologies are not included in this challenge
• The vulnerability must be original and not previously disclosed either publicly or to the vendor by another party
• The vulnerability cannot be caused by or require any additional third party software installed on the target system
• The vulnerability must not require additional social engineering beyond browsing a malicious site

In order to qualify, the submission must be sent during the current quarter and be received by midnight EST on September 30, 2006. The $10,000 prizes will be paid out following confirmation with the affected vendor and will be paid in addition to any amount paid for the vulnerability when it is first accepted.

Only the initial submission for a given vulnerability will qualify for the reward and a maximum of six awards will be paid out. Should more than six submissions qualify, the first six submissions will receive the reward. VeriSign will be responsible for making the final determination of whether or not a submission qualifies for the award.

Challenge Focus: Databases
Time Period: Q2, 2006
Prize Amount: $10,000
Submission Deadline: Before Midnight EST on June 30, 2006

Challenge:
iDefense Labs will pay $10,000 for each vulnerability submission that results in the discovery of a remotely exploitable database vulnerability that meets the following criteria.

• Technologies Covered:
  
  • Oracle Database 10G
  • Microsoft SQL Server 2005
  • IBM DB Universal Database 8.2
  • MySQL 5.0
  • PostgreSQL 8.1
• The vulnerability must be original and not previously disclosed either publicly or to the vendor by another party
• The vulnerability must be remotely exploitable in a default installation of one of the targeted technologies
• The vulnerability must exist in the latest version of the affected technology with all current patches/upgrades applied
• The vulnerability cannot be caused by or require third party software
• The vulnerability must result in root access on the target machine
• The vulnerability must not require the use of authentication credentials
• The vulnerability must receive the vendor’s maximum severity ranking when the advisory is published (if applicable)

In order to qualify, the submission must be sent during the current quarter and be received by midnight EST on June 30, 2006. The $10,000 prizes will be paid out following confirmation with the affected vendor and will be paid in addition to any amount paid for the vulnerability when it is first accepted.

Only the initial submission for a given vulnerability will qualify for the reward and a maximum of six awards will be paid out. Should more than six submissions qualify, the first six submissions will receive the reward.

Challenge Focus: Microsoft Technologies
Time Period: Q1, 2006
Prize Amount: $10,000
Submission Deadline: Before Midnight EST on March 31, 2006

Challenge:
iDefense Labs is pleased to announce the launch of our quarterly hacking challenge. Going forward, on a quarterly basis, we will select a new focus for the challenge and outline the rules for vulnerability discoveries that will qualify for the monetary rewards. For the current quarter, iDefense Labs will pay $10,000 for each vulnerability submission that results in the publication of a Microsoft Security Bulletin with a severity rating of critical. In order to qualify, the submission must be sent during the current quarter and be received by midnight EST on March 31, 2006. The $10,000 prizes will be paid out following the publication of the Microsoft Security Bulletin and will be paid in addition to any amount paid for the vulnerability when it is initially accepted. Only the initial submission for a given vulnerability will qualify for the reward.