Feeds

3Com puts a bounty on vulns

Report security bugs, get paid

  • alert
  • submit to reddit

Protecting against web application threats using SSL

TippingPoint, a division of networking giant 3Com, plans to pay researchers for information about unannounced vulnerabilities in major systems and software and will add bonuses for prolific flaw finders, the company announced on Monday.

Under the program, dubbed the Zero Day Initiative (ZDI), researchers will submit details of security bugs to 3Com and the company will make offers to become the exclusive owner of the information. The networking giant will use the information to provide early protection to its customers and also work with the affected product's maker to fix the vulnerability.

"Increasingly, an ecosystem is developing around technical security research knowledge concerning as-yet-undisclosed vulnerabilities," the company stated on the ZDI Web site. "We believe that one effective way to capture this data is by establishing a best-of-breed research clearing house and community."

Part bug bounty, part loyalty-rewards program, the Zero Day Initiative refines previous plans started by other companies to reward researchers for exclusive information on vulnerabilities.

Security information provider iDefense, now a subsidiary of VeriSign, established the Vulnerability Contributor Program to offer researchers cash for details about undisclosed flaws. Established in August 2002, the controversial plan has fueled debate on the question of responsible disclosure. Later, additional incentives added cash bonuses to the top contributors every quarter and year as well as rewards for referring other researchers.

The Mozilla Foundation has offered a bounty, but only for serious bugs found in its own open-source browser. Microsoft created perhaps the most famous bounty program in the security industry, but not for bugs. In August 2003, the software giant created a $5m fund to pay for information on attackers that release certain Internet worms and viruses. The bounty is credited with leading authorities to the creator of the Sasser worm, Sven Jaschan, who has been convicted of the crime.

Such programs have become less controversial over time, said Carole Theriault, a security consultant for antivirus firm Sophos.

"Microsoft offered a bounty, and I thought, 'This is Wild West here,' but they got an arrest," she said. "I don't think it is wrong to do. If someone finds something of value, then they should get paid for it."

Under 3Com's program, researchers will sign up for an account on the ZDI's portal site, which will launch on August 15. Vulnerabilities submitted to the company through the portal will be evaluated and the company will then make an offer to the flaw finder. If the researcher accepts the offer, then 3Com will own exclusive rights to the information.

Moreover, 3Com will offer additional awards to prolific bug hunters, granting them silver, gold or platinum status based on how many flaws they find. The company plans to use a point system, reminiscent of frequent flier programs, to track the productivity of researchers.

3Com plans to use flaw information to give its customers early protection against any attacks that might use the vulnerability. The company will obfuscate such updates to make it more difficult for information about the flaw to leak out early.

"No technical details concerning the vulnerability are sent out publicly until the vendor has released a patch," the company stated. "Any protection filters written for submitted vulnerabilities that 3Com distributes to TippingPoint IPS customers are obscured by being described only in very general terms and are encrypted to prevent reverse engineering."

The economic benefit to the creators of such programs may lead to even more companies establishing their own vulnerability-buying programs, Sophos's Theriault said.

"It looks like - at the moment - that individual companies are doing these programs and they are individually paying for the information, but other players in the security industry may join together to pay for vulnerabilities in order to compete."

3Com intends to publicize the new program at the Black Hat Briefings and at the subsequent DEF CON hacker convention, according to an email announcing the Zero Day Initiative. Both events take place in Las Vegas this week.

Copyright © 2004, SecurityFocus logo

Related stories

3Com reports smaller loss as revenues shrink
3Com buys TippingPoint

Reducing the cost and complexity of web vulnerability management

More from The Register

next story
Early result from Scots indyref vote? NAW, Jimmy - it's a SCAM
Anyone claiming to know before tomorrow is telling porkies
TOR users become FBI's No.1 hacking target after legal power grab
Be afeared, me hearties, these scoundrels be spying our signals
Jihadi terrorists DIDN'T encrypt their comms 'cos of Snowden leaks
Intel bods' analysis concludes 'no significant change' after whistle was blown
Home Depot: 56 million bank cards pwned by malware in our tills
That's about 50 per cent bigger than the Target tills mega-hack
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
NORKS ban Wi-Fi and satellite internet at embassies
Crackdown on tardy diplomatic sysadmins providing accidental unfiltered internet access
UK.gov lobs another fistful of change at SME infosec nightmares
Senior Lib Dem in 'trying to be relevant' shocker. It's only taxpayers' money, after all
Critical Adobe Reader and Acrobat patches FINALLY make it out
Eight vulns healed, including XSS and DoS paths
Spies would need SUPER POWERS to tap undersea cables
Why mess with armoured 10kV cables when land-based, and legal, snoop tools are easier?
prev story

Whitepapers

Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Beginner's guide to SSL certificates
De-mystify the technology involved and give you the information you need to make the best decision when considering your online security options.