iDefense Labs is pleased to announce the launch of next installment in our quarterly vulnerability challenge. Last quarter's challenge focused on critical vulnerabilities in Microsoft products and was a great success. We would like to thank everyone that forwarded submissions prior to the deadline on March 31, 2006. We look forward to announcing award winners once public advisories become available for the vulnerabilities. For the second quarter of 2006, we're shifting the focus from vendor to technology. This time around, we're focusing on database vulnerabilities. For submissions received before June 30, 2006, iDefense Labs will pay $10,000 for each vulnerability submission that results in the discovery of a remotely exploitable database vulnerability that meets the following criteria. - Technologies: - Oracle Database 10G - Microsoft SQL Server 2005 - IBM DB Universal Database 8.2 - MySQL 5.0 - PostgreSQL 8.1 - The vulnerability must be original and not previously disclosed either publicly or to the vendor by another party - The vulnerability must be remotely exploitable in a default installation of one of the targeted technologies - The vulnerability must exist in the latest version of the affected technology with all current patches/upgrades applied - The vulnerability cannot be caused by or require third party software - The vulnerability must result in root access on the target machine - The vulnerability must not require the use of authentication credentials - The vulnerability must receive the vendor's maximum severity ranking when the advisory is published (if applicable). In order to qualify, the submission must be sent during the current quarter and be received by midnight EST on June 30, 2006. The $10,000 prizes will be paid out following confirmation with the affected vendor and will be paid in addition to any amount paid for the vulnerability when it is first accepted. Only the initial submission for a given vulnerability will qualify for the reward and a maximum of six awards will be paid out. Should more than six submissions qualify, the first six submissions will receive the reward. Further details on the iDefense Vulnerability Contributor Program (VCP) can be found at: http://labs.idefense.com/vcp.php Michael Sutton Director, iDefense Labs