VeriSign iDefense Labs will pay a $12,000 bounty for critical vulnerabilities in and exploit code for Microsoft’s new Windows Vista operating system and Internet Explorer 7 browser. And Microsoft doesn’t seem to mind.

The rewards are part of the security company’s Vulnerability Contributor Program bounty scheme. The company has conducted higher-reward challenges like the Vista-IE 7 contest since early 2006.

“Both [Vista and IE 7] are new, and the number-one question from our customers is, ’should we adopt them, are these really secure?’” says Frederick Doyle, iDefense director of research in explaining the choices.

iDefense will pay the first six bug contributors $8,000 for new vulnerabilities that can be used to execute remote code—typically pegged “critical” by Microsoft—on a fully-patched system running Vista or IE 7.
An additional $2,000 to $4,000 will be paid if the researcher comes up with working exploit code for his or her bug. Flaws in beta versions of either product aren’t eligible for the bounty, which ends March 31.