An additional $2,000 to $4,000 is available if the researcher can also deliver a working exploit.
IDefense has issued strict rules for the contest. No more than six vulnerabilities will be accepted, all of which must be present in the most recent versions of the software. Any exploit code must not contain any kind of malicious payload.
Flaws that allow for remote execution are among the most serious threats to users. Such outbreaks earn the highest alert levels from security monitoring sites, and are often referred to as 'critical' vulnerabilities.
Microsoft said that, although the company has a policy of not paying for vulnerability disclosures, it does not expressly support or oppose the iDefense programme.
"Microsoft does not oppose programmes that work through the established processes for responsible disclosure, and do not put customers at risk," a company spokesman told vnunet.com.
"Microsoft does not want to speculate on the motives of third-party researchers, but is committed to working with them closely on the issues that they bring to our attention."
While the iDefense programme rewards users for developing attacks, Sites warned that it also allows for the disclosure of vulnerabilities that may otherwise have been discovered by a malware author and launched without warning.
He pointed out that paying users for the rights to attack code gives one company a competitive advantage by allowing customers exclusive protection, but leaves users of other security programs vulnerable to attack.
What iDefense is doing is nothing new, according to Sites, who pointed to the thriving underground market for new exploits from developers of attack programs used by malware authors and distributors.
Vulnerabilities that allow for remote code execution are among the most sought after because they can give an attacker nearly limitless control over a system.
Dave Marcus, security research and communications manager at McAfee, explained the appeal of remote code vulnerabilities to vnunet.com in an interview last month after publishing a report on the recent increase in critical flaws.
"The critical vulnerability is definitely the holy grail," said Marcus. "It is the one that the malware writers and botnet operators want to use because it is the one that lets them inject the code."
Microsoft patched over 130 critical vulnerabilities in 2006, more than doubling the previous year's total.
- Microsoft promises space flight in Vista promo
- Review: Microsoft Internet Explorer 7 browser
- Security threats fail to deter Mac faithful in 2006
- Microsoft critical vulnerability boom persists
Why does Facebook store "my entire call history with my partner's mum", asks developer who requested his Facebook data
Facebook database included text-message metadata - despite not using Facebook Messenger for SMS
Before Ocado could start selling the technology it had developed to other retailers, it had to tear down and rebuild its own monolithic architecture
Successful attack could result in harm to patients and financial loss, warns NHS governing body
Guccifer 2.0 claimed to be a lone Romanian hacker - until a schoolboy error gave him, her or them away