When its predecessor, Windows XP, was released five years ago, software bugs were typically hunted by hackers for fame and glory, not financial reward. But now software vulnerabilities as with stolen credit-card numbers and spammable e-mail addresses carry real financial value and are commonly bought, sold and traded online, both by legitimate security companies, who say they are providing a service, and by nefarious hackers and thieves.
Vista provides the latest target.
This month, iDefense Labs, a subsidiary of the technology company VeriSign, said it was offering $8,000 for the first six researchers to find holes in Vista, and $4,000 more for the so-called exploit, the program needed to take advantage of the weakness.
IDefense sells such information to corporations and government agencies, which have already begun using Vista, so they can protect their own systems.
Companies like Microsoft do not endorse such bounty programs, but they have even bigger problems: the willingness of Internet criminals to spend large sums for early knowledge of software flaws that could provide an opening for identity-theft schemes and spam attacks.
The Japanese security firm Trend Micro said in December that it had found a Vista flaw for sale on a Romanian Web forum for $50,000. Security experts say that the price is plausible, and that they regularly see hackers on public bulletin boards or private online chatrooms trying to sell the holes they have discovered, and the coding to exploit them.
Especially prized are so-called zero-day exploits, bits of disruption coding that spread immediately because there is no known defense.
Software vendors have traditionally asked security researchers to alert them first when they find bugs in their software, so that they could issue a fix, or patch, and protect the general public. But now researchers contend that their time and effort are worth much more.
Misusing such information to attack computers or to aid others in such attacks is illegal, but there appears to be nothing illegal about the act of discovering and selling vulnerabilities. Prices for such software bugs range from a couple of hundred dollars to tens of thousands.