Early Detection: 3Com To Reward For Discoveries
Through its Zero Day Initiative, TippingPoint hopes to entice researchers to submit discoveries in exchange for financial incentives rather than disclosing them to the world before vendors have a chance to issue patches, said David Endler, director of security research at TippingPoint, Austin, Texas.
For TippingPoint partners, the initiative gives them the ability to provide security solutions that offer a head start in protection against threats, Endler said. While some researchers already contact vendors when they uncover problems, others choose full public disclosure for the glory or to exert pressure on vendors to act quickly, he said.
“That creates an environment where there are people who know about the vulnerability—both good guys and bad guys—but the vendor hasn&'t had a chance to issue a patch because they&'ve not even looked at it yet,” he said.
Advance protection against vulnerabilities could be a strong selling point for TippingPoint&'s intrusion-prevention systems (IPS), said Gaby Batshoun, president and CEO of Global Business Solutions, Newport, Ky. The most critical vulnerabilities to catch would be those that impact Microsoft products or infrastructure, he said.
Mike Paquette, vice president of technology at IPS vendor Top Layer, Westborough, Mass., voiced mixed feelings about the new initiative, noting that the concept of paying for vulnerability discovery, while not new, is somewhat controversial. “On a grand scale, anything that helps software have fewer vulnerabilities and results in users having lower risk is good,” he said, noting Top Layer would consider joining the initiative.
However, Paquette said the notion of a security vendor dipping into its own pockets to fund such an effort raises conflict-of-interest questions and suggested instead that software developers should step up to provide funding.
Endler declined to disclose the expected range of fees or the size of the overall budget 3Com has allotted to pay the incentives. Through the initiative, TippingPoint will verify submitted discoveries, then make a reward offer based on factors such as the type of vulnerability, how much impact it could have and how difficult it is to exploit.
If the researcher accepts the offer, TippingPoint would notify the impacted vendor and issues protection filters to its own IPS customers without revealing the nature of the problem. The researcher would receive credit when TippingPoint and the impacted vendor publicly disclose the vulnerability and issue a patch. Rival intrusion-prevention/detection vendors that join the initiative would receive detailed notification one day prior to public disclosure, Endler said.