TippingPoint: Will Pay for Bug Info

3Com (Nasdaq: COMS) division TippingPoint today announced a bug bounty program targeting money-hungry hackers. The amount of the reward depends on the severity and scope of the vulnerability -- but TippingPoint plans to make offers.

Dubbed the Zero Day Initiative, the new program aims to "ensure the responsible disclosure of security flaws in order to make technology more secure for users." The mission is to proactively protect businesses against newly discovered vulnerabilities.

Vulnerabilities enable attackers to gain control of a system for malicious purposes. These security flaws can also result in worms or Denial of Service attacks, which can bring down entire networks.

Jonathan Spira, chief analyst at security firm Basex, told TechNewsWorld that the Zero Day Initiative is an innovative program that extends a company's quality control testing to a large and knowledgeable community. Mozilla and iDefense have similar programs in place for the same purpose. Despite the positives, Spira warns of potential backlash.

"It makes sense from a business point-of-view to offer a payment in return for having discovered a bug, but the hacker ethos is not always in line with the business way of thinking and it may not go over very well in some circles," Spira said.

Avoiding Zero-Day Disclosures

The Zero Day Initiative attempts to prevent what is known as the "zero-day disclosure." This occurs when the discoverer of the vulnerability discloses the flaw to the public without notifying the vendor, putting businesses at risk from the time of disclosure until the affected vendor issues a patch, which can take weeks or months.

As part of the program, 3Com will reward security researchers who responsibly reveal information on newly discovered vulnerabilities, as opposed to publicly posting the potentially harmful information.

3Com figures security researchers want to be recognized for their discovery, but don't always achieve that in a responsible manner. With this program, the researcher is recognized for the discovery when the vulnerability is publicly disclosed with the vendor's patch.

"Through this program, we seek to ensure that newly discovered vulnerabilities are managed, disclosed and remediated responsibly, so they don't pose a threat to businesses," said 3Com CTO Marc Willebeek-LeMair.

"The sooner we have information about a vulnerability, the sooner we can deliver protection to our customers. Ultimately, this benefits everyone: security and technology vendors, security researchers, end users, as well as 3Com and its TippingPoint division customers."

Putting Users On Notice

3Com said it would notify affected vendors of security flaws so they can immediately begin working on a solution, most often in the form of a patch. The vulnerabilities will only be disclosed publicly by 3Com once the affected vendor is able to offer a solution to end users, mitigating the threat.

3Com said it would also use the information to provide preemptive protection to customers through its TippingPoint Digital Vaccine service. Additionally, 3Com plans to share vulnerability details freely with other security vendors prior to public disclosure.

"3Com's initiative is a positive step for the industry," said In-Stat Research Analyst Victoria Fodale. "Viruses or worms that take advantage of vulnerabilities that vendors are not yet aware of can be devastating to an organization. Both vendors and customers stand to benefit from this program. 3Com and its TippingPoint division are to be commended for taking this leadership position."