In August of 2002, iDefense sent mail about their Vulnerability Contributor Program (VCP) to several vulnerability researchers. While the mail was somewhat targeted, it was also unsolicited and several people felt it was spam.
Received: from idsrv10.idefense.com (user242.idefense.com [188.8.131.52] (may be forged)) [..] From: Sunil James
Subject: Introducing iDEFENSE's Vulnerability Contributor Program Date: Wed, 7 Aug 2002 12:32:18 -0400 Greetings, iDEFENSE is pleased to announce the official launch of its Vulnerability Contributor Program (VCP). The VCP pays contributors for the advance notification of vulnerabilities, exploit code and malicious code. iDEFENSE hopes you might consider contributing to the VCP. The following provides answers to some basic questions about the program: Q. How will it work? A. iDEFENSE understands the majority of security researchers do not publish security research for compensation; rather, it could be for any of a number of motivations, including the following: * Pure love of security research * The desire to protect against harm to targeted networks * The desire to urge vendors to fix their products * The publicity that often accompanies disclosure The VCP is for those who want to have their research made public to the Internet community, but who would also like to be paid for doing the work.The compensation will depend, among other things, on the following items: * The kind of information being shared (i.e. vulnerability or exploit) * The amount of detail and analysis provided * The potential severity level for the information shared * The types of applications, operating systems, and other software and hardware potentially affected * Verification by iDEFENSE Labs * The level of exclusivity, if any, for data granted to iDEFENSE Q. Who should contribute to the VCP? A. The VCP is open to any individual, security research group or other entity. Q. Why are you launching this program? A. Timeliness remains a key aspect in security intelligence. Contributions to some lists take time before publication to the public at large. More often, many of these services charge clients for access without paying the original contributor. Under the iDEFENSE program, the contributor is compensated, iDEFENSE Labs verifies the issue, and iDEFENSE clients and the public at large are warned in a timely manner. Q. Who gets the credit? A. The contributor is always credited for discovering the vulnerability or exploit information. Q. When can I contribute? The VCP is active. You are welcome to begin contributing today. To learn more, go to http://www.idefense.com/contributor.html. If you have questions or would like to sign up as a contributor to the VCP, please contact us at email@example.com. Regards, Sunil James Technical Analyst iDEFENSE "iDEFENSE is a global security intelligence company that proactively monitors sources throughout the world -- from technical vulnerabilities and hacker profiling to the global spread of viruses and other malicious code. The iALERT security intelligence service provides decision-makers, frontline security professionals and network administrators with timely access to actionable intelligence and decision support on cyber-related threats. iDEFENSE Labs is the research wing that verifies vulnerabilities, examines the behavior of exploits and other malicious code and discovers new software/hardware weaknesses in a controlled lab environment."