With Windows and Internet Explorer accounting of the lion's share of the operating system and, respectively, the browser markets, remote arbitrary code execution vulnerabilities in Vista and IE7 have a high price.

VeriSign's iDefense Labs revealed that it offers from $8,000 to $12,000 for security flaws that allow for remote arbitrary code execution, in the eventuality of a successful exploit, in both Windows Vista and Internet explorer 7, as part of the Q1, 2007 quarterly challenge that has midnight EST on March 31, 2007 as the deadline for the submissions.

"iDefense will pay $8,000 for each submitted vulnerability that allows an attacker to remotely exploit and execute arbitrary code on either of these two products. Only the first submission for a given vulnerability will qualify for the award, and iDefense will award no more than six payments of $8,000. If more than six submissions qualify, the earliest six submissions (based on submission date and time) will receive the award. The iDefense Team at VeriSign will be responsible for making the final determination of whether or not a submission qualifies for the award," revealed iDefense.

Here are the criteria for the Vista and IE7 Vulnerability Challenge:

- The vulnerability must be remotely exploitable and must allow arbitrary code execution in a default installation of one of the technologies listed above;
- The vulnerability must exist in the latest version of the affected technology with all available patches/upgrades applied;
- 'RC' (Release candidate), 'Beta', 'Technology Preview' and similar versions of the listed technologies are not included in this challenge;
- The vulnerability must be original and not previously disclosed either publicly or to the vendor by another party;
- The vulnerability cannot be caused by or require any additional third party software installed on the target system;
- The vulnerability must not require additional social engineering beyond browsing a malicious site.

Additionally, iDefense will pay sums between $2,000 and $4,000 for functional exploit code in concordance with the submitted vulnerabilities.

"The arbitrary code execution must be of an uploaded non-malicious payload. Submission of a malicious payload is grounds for disqualification from this phase of the challenge. The minimum award for a working exploit is $2,000. In addition to the base award, additional amounts up to $4,000 may be awarded based upon: reliability of the exploit, quality of the exploit code, readability of the exploit code and documentation of the exploit code."