iDefense ( Spams

In August of 2002, iDefense sent mail about their Vulnerability Contributor Program (VCP) to several vulnerability researchers. While the mail was somewhat targeted, it was also unsolicited and several people felt it was spam.

Received: from ( [] (may be forged))
From: Sunil James 
Subject: Introducing iDEFENSE's Vulnerability Contributor Program
Date: Wed, 7 Aug 2002 12:32:18 -0400


iDEFENSE is pleased to announce the official launch of its Vulnerability
Contributor Program (VCP). The VCP pays contributors for the advance
notification of vulnerabilities, exploit code and malicious code.

iDEFENSE hopes you might consider contributing to the VCP. The following
provides answers to some basic questions about the program:

Q. How will it work?
A. iDEFENSE understands the majority of security researchers do not publish
security research for compensation; rather, it could be for any of a number
of motivations, including the following:

        * Pure love of security research
        * The desire to protect against harm to targeted networks
        * The desire to urge vendors to fix their products
        * The publicity that often accompanies disclosure

The VCP is for those who want to have their research made public to the
Internet community, but who would also like to be paid for doing the
work.The compensation will depend, among other things, on the following

        * The kind of information being shared (i.e. vulnerability or
        * The amount of detail and analysis provided
        * The potential severity level for the information shared
        * The types of applications, operating systems, and other software
and hardware potentially affected
        * Verification by iDEFENSE Labs
        * The level of exclusivity, if any, for data granted to iDEFENSE

Q. Who should contribute to the VCP?
A. The VCP is open to any individual, security research group or other

Q. Why are you launching this program?
A. Timeliness remains a key aspect in security intelligence. Contributions
to some lists take time before publication to the public at large. More
often, many of these services charge clients for access without paying the
original contributor. Under the iDEFENSE program, the contributor is
compensated, iDEFENSE Labs verifies the issue, and iDEFENSE clients and the
public at large are warned in a timely manner.

Q. Who gets the credit?
A. The contributor is always credited for discovering the vulnerability or
exploit information.

Q. When can I contribute?
The VCP is active. You are welcome to begin contributing today.

To learn more, go to If you have
questions or would like to sign up as a contributor to the VCP, please
contact us at


Sunil James
Technical Analyst

"iDEFENSE is a global security intelligence company that proactively
monitors sources throughout the world -- from technical vulnerabilities and
hacker profiling to the global spread of viruses and other malicious code.
The iALERT security intelligence service provides decision-makers, frontline
security professionals and network administrators with timely access to
actionable intelligence and decision support on cyber-related threats.
iDEFENSE Labs is the research wing that verifies vulnerabilities, examines
the behavior of exploits and other malicious code and discovers new
software/hardware weaknesses in a controlled lab environment."

main page ATTRITION feedback