Stories
Slash Boxes
Comments
Search

News for nerds, stuff that matters

Slashdot Log In

Log In

Create Account  |  Retrieve Password

3Com to Buy Security Flaws?

Posted by Hemos on Mon Jul 25, 2005 09:15 AM
from the trying-new-models dept.
Security IT
Zonoprh writes "CNET reports that 3Com's TippingPoint division is starting a pay-for-vulnerability program called the Zero Day Initiative. It seems 3Com plans to use the vulnerabilities they purchase to fuel signatures in their protection technologies, in addition to sharing the same data with other security vendors. From the article, "Money has increasingly become an incentive for hackers. Program's such as TippingPoint's offer a legitimate way for them to get paid for their bug hunting. There is also an underground market for vulnerabilities. Cybercriminals pay top dollar for previously undisclosed flaws that they can then exploit to break into computer systems, experts have said.""
+ -
story
This discussion has been archived. No new comments can be posted.
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

3Com to Buy Security Flaws? 25 Comments More /

 Full
 Abbreviated
 Hidden
More
Loading... please wait.

  • "Will deal only with reputable researchers" (Score:5, Insightful)

    by xmas2003 (739875) * on Monday July 25 2005, @09:18AM (#13155934) Homepage
    From the article: Bugs can be reported to TippingPoint through the Zero Day Initiative Web site. TippingPoint investigates all reports and will deal only with reputable researchers, Endler said. "We need to know exactly who we are working with," he said. "We don't want to work with black hats or illegal groups." The term "black hat" is used to describe criminal hackers.

    So I gotta wonder how they are gonna determine who is reputable and who is not ...

    • Re:"Will deal only with reputable researchers" (Score:4, Insightful)

      by }InFuZeD{ (52430) on Monday July 25 2005, @09:23AM (#13155982) Homepage
      Well... I imagine if they offer X ammount of dollars per flaw in a certain system and the person asks for more money, then they aren't reputable. If a "researcher" was previously getting no money for the bugs they found, they'd probablytake the little money they can get (I'm guessing TippingPoint won't be giving out a whole lot). If they're actually selling the thing to the highest bidder, I'm guessing TP isn't going to join in the bidding.

    • Re:"Will deal only with reputable researchers" (Score:5, Insightful)

      by cnettel (836611) on Monday July 25 2005, @09:23AM (#13155987)
      Well, for a start, it could indicate that they won't be making any anonymous payments, or payments through proxies.

      Give us your identity, and your bug, we give you the money. Sounds fair.

  • Good idea (Score:5, Interesting)

    by dmurray14 (899569) on Monday July 25 2005, @09:18AM (#13155939)
    Much better way to deal with bugs, I'm surprised no one thought about this before. I guess the real test will be to see how they deal with the bugs they "buy"

    • IIRC, Sun did this with the early versions of Solaris. The transtion from SunOS to Solaris was really painful, especially wrt. SunOS binary compatibility. Now that I think about it, it could have just been a bounty on compatibility problems.

    • yes, it worked for me... (Score:4, Insightful)

      by scotty777 (681923) on Monday July 25 2005, @09:46AM (#13156205) Journal
      20 years ago I wrote a security system, and offered the staff a free lunch if they could find any "undocumented behavior". It's a quick and cheap way to build confidence. I had a couple of takers, but both quit their spiel while they were laying out their case... Seem they didn't RTFM! ; )

  • Wow (Score:4, Funny)

    by truckaxle (883149) on Monday July 25 2005, @09:19AM (#13155944) Homepage
    I knew 3COM was big, but big enough to buy Microsoft? Wow!

  • Simple solution (Score:5, Insightful)

    by Sierpinski (266120) on Monday July 25 2005, @09:21AM (#13155970)
    If someone is able to break into your system offer to pay them to keep it secure from others like themselves.

    What was the famous counterfeiters name that the FBI hired to spot fakes? He was the basis for the movie 'Catch me if you Can'.

    Allow them to use their powers for good, because if you don't, they will continue to use their powers, in whichever direction (good or bad) that they can. The big companies might as well use them as a tool (and pay them) to create/maintain better secured software.
    • Frank Abagnale Jr [crimelibrary.com] is the man you're looking for!

    • Re:Simple solution (Score:4, Interesting)

      by kfg (145172) on Monday July 25 2005, @10:35AM (#13156605)
      Frank Abagnale was the Kevin Mitnick of his time, and although he was a master counterfeiter his chief skill was in "social engineering."

      Brazen, fearless and with a personality to charm the socks right off of you, if he had stuck to cons he might well never have been caught (bad paper leaves a paper trail). Having once caught him keeping him caught proved to be a bit of a problem and on one occasion he simply talked his way out of prison

      It isn't listed in his IMDB entry (which he has by virtue of being the author of Catch Me if You Can), but he once made an appearance on The Tonight Show with Johnny Carson and so impressed me that it is one of the few Tonight Show interviews that has always stuck with me.

      I haven't read the book, so it may well be the blurb that is at fault, but certain discrepencies between the book blurb at Amazon and things he said in that interview suggest to me that he's never really given up the con game and we'll never know what is the truth and what is the self generated myth about him.

      He should have gone into politics.

      KFG
    • Legitimized extortion? I think the companies that would hire a criminal to secure their network and put full faith in him not to abuse the data he has access to are few, far between, and frankly a little nutty. It's just a publicity stunt when a company does this. There are a lot of very qualified white hat experts with a long resume of experience and referrals that are a lot more trustworthy and probably more knowledgeable than the kid from Finland who used his l33t skillz to run his script from IRC aga

  • Clearing house for bugs Nice idea however (Score:5, Insightful)

    by infonography (566403) on Monday July 25 2005, @09:24AM (#13155994) Homepage
    They don't share the info on the exploits. With CERT the bug is known even if crucial details are not. With 3Com, it's a murky secret. According to their own data they will sit on them until they have notified every security company first. Only then will they tell the public putting everybody at risk. Worst yet from a business standpoint they can pay of a exploit only to have somebody else notify the world the next day. That's money lost. Unless they want to go an copyright the exploit they are assed out.

    • Worse yet (Score:4, Interesting)

      by infonography (566403) on Monday July 25 2005, @09:59AM (#13156302) Homepage
      The issue is that if you get paid for finding a flaw, you could get sued for it and there is a nice money trail back to you. 3Com makes no pretense at anonymity or grants any immunity from liablity. While I admit that's not likely, they would sue 3Com first and name you as a co-defendant, your still in it with them. This has happened in the past, I see no reason it's not gonna happen again.

  • So to summarize (Score:4, Insightful)

    by Rosco P. Coltrane (209368) on Monday July 25 2005, @09:25AM (#13156009)
    3Com gets paid to alert its customers of vulnerabilities in near-real-time. Which means, more vulnerabilities fixed == less $$$ for them over time.

    Hmmm, great business model...
    • Not really... now they're paying people to help them earn that money. Someone submits a vuln to 3Com, get's paid a few hundred or thousand dollars, and 3Com gets the many thousands they're already charging their customers. Then they work on a fix, and get some glory on the back end.

      Seems a pretty sound business model to me.

  • So they buy the vulnaribilities (Score:3, Interesting)

    by jurt1235 (834677) on Monday July 25 2005, @09:29AM (#13156038) Homepage
    And have a great bonus program which will pay you a nice bonus, but what they fail to mention is how much a vulnarability is worth. They have all what it needs here just to screw you with:
    1. 3-com makes an offer and the researcher (nice name for a change) accepts it, and keeps his mouth closed.
    2. Another researcher (who wishes to stay anonymous) already submitted this bug
    It would be nice if they said like how much the bases is what they are willing to pay, and that you can look in the bug database (probably just on some kind of specific property so you can recognize the bug).

    However I do like the ZDI platinum bonus: Blackhat training in Las Vegas (with the $20.000 bonus, should be a good few days (-: )

  • DIY funding (Score:5, Insightful)

    by James McGuigan (852772) on Monday July 25 2005, @09:33AM (#13156081) Homepage
    How long till someone finds a security flaw in 3com's online payment system and assigns themselves a financial reward for discovering the security flaw.

  • Obligatory comment (Score:3, Funny)

    by jurt1235 (834677) on Monday July 25 2005, @09:35AM (#13156093) Homepage
    If Microsoft would do this, they would go broke (-:

  • Are they building up Intellectual Property (Score:4, Interesting)

    by uid000 (895926) on Monday July 25 2005, @09:51AM (#13156244)
    If they "buy" a software vulnerability, and build a signature for it, will somebody else who builds a signature (e.g., snort) for it be violating some IP right like copyright or patent?

    • Re:Are they building up Intellectual Property (Score:3, Informative)

      by Anonymous Coward
      The answer is no.

      From their FAQ (http://www.zerodayinitiative.com/faq.html [zerodayinitiative.com]):

      Why are you giving advance notice of the vulnerability information you've bought to other security vendors, including competitors?

      We are sharing with other security vendors in an effort to do the most good with the information we have acquired. We feel we can still maintain a competitive advantage with respect to our customers while facilitating the protection of a customer base larger than our own.

  • Missing step found! (Score:3, Funny)

    by SkjeggApe (649721) on Monday July 25 2005, @10:00AM (#13156320)
    Step 1: Create popular, mission critical software that every business will want to install
    Step 2: Insert sneaky vulnerabilities
    Step 3: Sell bugs to 3COM
    Step 4: PROFIT!!!!

  • This is a double-edged sword (Score:3, Insightful)

    by confusion (14388) on Monday July 25 2005, @11:37AM (#13157129) Homepage
    On one hand, this bounty will motivate "hackers" to disclose vuln's to 3com, who then will work with the vendor to fix the problem - and make themselves look good in the process - which means there is a legitimate way for some of these people to make real money off of their discoveries instead of turning them into worms or viruses.
    And on the other hand, there is a lot of potential for abuse. We could see vulnerability stuffing in open source to get a kick-back (I know it's hard to believe it could happen, but remember - there is money involved), we could see 3com dissing people on the bounty checks which could motivate the hacker to turn the vuln into a worm more quickly to get back at 3com and then there is just the fundamental philosophy that 3com is rewarding someone for doing something bad.

    We're going to have to wait to see how this plays out over time. It doesn't seem like a good idea to me, but then 3com has to be able to compete with the big boys now that they own Tipping Point.

    Jerry
    http://www.cyvin.org/ [cyvin.org]

  • Danegeld? (Score:3, Interesting)

    by chiph (523845) on Monday July 25 2005, @12:07PM (#13157447)
    Isn't this similar to the Danegeld [wikipedia.org] that the English used to pay to the Vikings, to keep them from pillaging their towns & burning their crops?
    (worked for a time, anyway).

    Chip H.
    • Your post makes no sense: what does "pay people to create/discover vulnerabilities so they can be detected" mean? Have you RTFA?

      Secondly, there is no mob insurance: 3com won't crash non-subscribers' computers after making threats, they'll tip people who discover already existing vulnerabilities, and get money from other people to tell them early about them. Take your tinfoil hat off already, gee...
    • Because it is *legal* money, requiring no fencing, no laundering, and above all providing no legal risk to the individual finding the vulnerability.

      And if you discover a pattern in one of your suppliers wherein a vulnerability they sell you always shows up with the blackhat organizations at the same time... well, that's why you required traceable identity information before you paid them.

      The law, in this case, acts as the stick. Money, as always, is the carrot.

All trademarks and copyrights on this page are owned by their respective owners. Comments are owned by the Poster. The Rest © 1997-2009 Geeknet, Inc.