Security intelligence outfit iDefense Labs is offering a $10,000 reward to any hacker who finds a worm hole in Microsoft's products, but the software maker isn't exactly thrilled by the gambit.

One day after iDefense, of Reston, Va., announced the bounty as part of a newly implemented quarterly hacking challenge, Microsoft, based in Redmond, Wash., believes paying for flaws is not the best way to secure software products.

Of course Microsoft believes that responsible disclosure, which involves making sure that an update is available from software vendors the same day the vulnerability is first broadly known, is the best way to protect the end user.

The hacking challenge is part of VeriSign-owned iDefense's controversial VCP (Vulnerability Contributor Program), which offers financial incentives to anonymous researchers who agree to give up exclusive rights to advance notification of unpublished vulnerabilities or exploit code.

iDefense Labs, defended the new program, insisting that it promotes the concept of responsible disclosure and keeps information on critical zero-day flaws away from malicious attackers.

It is strange that Microsoft offers $250,000 as a bounty to help capture a virus writer, but frowns on paying for the information that would stop the propagation of the virus.

Should all vendors should be paying for vulnerabilities? In a free enterprise, everything has a cost and a value. We have recognized that value and we're willing to pay for it. Then vendors should be doing the same thing?

Peter Mell, a computer scientist who manages the NIST (National Institute of Standards and Technology) NVD (National Vulnerability Database), said dangling incentives for hackers to target a single vendor could set a dangerous precedent.