An additional $2,000 to $4,000 is available if the researcher can also deliver a working exploit.
IDefense has issued strict rules for the contest. No more than six vulnerabilities will be accepted, all of which must be present in the most recent versions of the software. Any exploit code must not contain any kind of malicious payload.
Flaws that allow for remote execution are among the most serious threats to users. Such outbreaks earn the highest alert levels from security monitoring sites, and are often referred to as 'critical' vulnerabilities.
Microsoft said that, although the company has a policy of not paying for vulnerability disclosures, it does not expressly support or oppose the iDefense programme.
"Microsoft does not oppose programmes that work through the established processes for responsible disclosure, and do not put customers at risk," a company spokesman told vnunet.com.
"Microsoft does not want to speculate on the motives of third-party researchers, but is committed to working with them closely on the issues that they bring to our attention."
While the iDefense programme rewards users for developing attacks, Sites warned that it also allows for the disclosure of vulnerabilities that may otherwise have been discovered by a malware author and launched without warning.
He pointed out that paying users for the rights to attack code gives one company a competitive advantage by allowing customers exclusive protection, but leaves users of other security programs vulnerable to attack.
What iDefense is doing is nothing new, according to Sites, who pointed to the thriving underground market for new exploits from developers of attack programs used by malware authors and distributors.
Vulnerabilities that allow for remote code execution are among the most sought after because they can give an attacker nearly limitless control over a system.
Dave Marcus, security research and communications manager at McAfee, explained the appeal of remote code vulnerabilities to vnunet.com in an interview last month after publishing a report on the recent increase in critical flaws.
"The critical vulnerability is definitely the holy grail," said Marcus. "It is the one that the malware writers and botnet operators want to use because it is the one that lets them inject the code."
Microsoft patched over 130 critical vulnerabilities in 2006, more than doubling the previous year's total.
- Microsoft promises space flight in Vista promo
- Review: Microsoft Internet Explorer 7 browser
- Security threats fail to deter Mac faithful in 2006
- Microsoft critical vulnerability boom persists
Antarctica lost on average 252 gigatons of ice mass per year from 2009 to 2017, claims study
Buyers can demand refunds if they've had a game for no more than 14 days and not registered more than two hours of play
Total lunar eclipse 2019: 'Super Blood Wolf Moon' to be visible across Europe and North America on Sunday night
Moon will turn reddish-orange in colour during this weekend's total lunar eclipse
Hackers to compete for prize money of between $35,000 and $250,000 cracking the Tesla Model 3 at this year's Pwn2Own contest