Microsoft says its new operating system, Windows Vista, is the most secure in the company’s history. Now the bounty hunters will test just how secure it is.

When its predecessor, Windows XP, was released five years ago, software bugs were typically hunted by hackers for fame and glory, not financial reward. But now software vulnerabilities – as with stolen credit-card numbers and spammable e-mail addresses – carry real financial value and are commonly bought, sold and traded online, both by legitimate security companies, who say they are providing a service, and by nefarious hackers and thieves.

Vista, which will be installed on millions of new PCs starting today, provides the latest target.

This month, iDefense Labs, a subsidiary of the technology company VeriSign, said it was offering $8,000 for the first six researchers to find holes in Vista, and $4,000 more for the so-called exploit, the program needed to take advantage of the weakness.

IDefense sells such information to corporations and government agencies, which have already begun using Vista, so they can protect their own systems.

Companies like Microsoft do not endorse such bounty programs, but they have even bigger problems: the willingness of Internet criminals to spend large sums for early knowledge of software flaws that could provide an opening for identity-theft schemes and spam attacks.

The Japanese security firm Trend Micro said in December that it had found a Vista flaw for sale on a Romanian Web forum for $50,000. Security experts say that the price is plausible, and that they regularly see hackers on public bulletin boards or private online chat rooms trying to sell the holes they have discovered, and the coding to exploit them.

Especially prized are so-called zero-day exploits, bits of disruption coding that spread immediately because there is no known defense.

Software vendors have traditionally asked security researchers to alert them first when they find bugs in their software, so that they could issue a fix, or patch, and protect the general public. But now researchers contend that their time and effort are worth much more.

“To find a vulnerability, you have to do a lot of hard work,” said Evgeny Legerov, founder of a small security firm, Gleg Ltd., in Moscow.

Leave a comment

Your email address will not be published.