3Com to Buy Security Flaws? 105
Zonoprh writes "CNET reports that 3Com's TippingPoint division is starting a pay-for-vulnerability program called the Zero Day Initiative. It seems 3Com plans to use the vulnerabilities they purchase to fuel signatures in their protection technologies, in addition to sharing the same data with other security vendors. From the article, "Money has increasingly become an incentive for hackers. Program's such as TippingPoint's offer a legitimate way for them to get paid for their bug hunting. There is also an underground market for vulnerabilities. Cybercriminals pay top dollar for previously undisclosed flaws that they can then exploit to break into computer systems, experts have said.""
"Will deal only with reputable researchers" (Score:5, Insightful)
So I gotta wonder how they are gonna determine who is reputable and who is not ...
Simple solution (Score:5, Insightful)
What was the famous counterfeiters name that the FBI hired to spot fakes? He was the basis for the movie 'Catch me if you Can'.
Allow them to use their powers for good, because if you don't, they will continue to use their powers, in whichever direction (good or bad) that they can. The big companies might as well use them as a tool (and pay them) to create/maintain better secured software.
Re:"Will deal only with reputable researchers" (Score:4, Insightful)
Re:"Will deal only with reputable researchers" (Score:5, Insightful)
Give us your identity, and your bug, we give you the money. Sounds fair.
Clearing house for bugs Nice idea however (Score:5, Insightful)
So to summarize (Score:4, Insightful)
Hmmm, great business model...
Re:Simple solution (Score:3, Insightful)
Did I read that right? (Score:1, Insightful)
This reminds me of mob "insurance".
"You know, if you don't pay us to protect you, something bad could happen to you."
Anyone else see a moral issue here?
DIY funding (Score:5, Insightful)
Re:Did I read that right? (Score:3, Insightful)
Secondly, there is no mob insurance: 3com won't crash non-subscribers' computers after making threats, they'll tip people who discover already existing vulnerabilities, and get money from other people to tell them early about them. Take your tinfoil hat off already, gee...
Re:Did I read that right? (Score:-1, Insightful)
yes, it worked for me... (Score:4, Insightful)
Re:So to summarize (Score:3, Insightful)
Seems a pretty sound business model to me.
This is a double-edged sword (Score:3, Insightful)
And on the other hand, there is a lot of potential for abuse. We could see vulnerability stuffing in open source to get a kick-back (I know it's hard to believe it could happen, but remember - there is money involved), we could see 3com dissing people on the bounty checks which could motivate the hacker to turn the vuln into a worm more quickly to get back at 3com and then there is just the fundamental philosophy that 3com is rewarding someone for doing something bad.
We're going to have to wait to see how this plays out over time. It doesn't seem like a good idea to me, but then 3com has to be able to compete with the big boys now that they own Tipping Point.
Jerry
http://www.cyvin.org/ [cyvin.org]
Re:Simple solution (Score:3, Insightful)
Re:Since they are competing with money... (Score:3, Insightful)
And if you discover a pattern in one of your suppliers wherein a vulnerability they sell you always shows up with the blackhat organizations at the same time... well, that's why you required traceable identity information before you paid them.
The law, in this case, acts as the stick. Money, as always, is the carrot.
No `advanced notice' for open source code? (Score:3, Insightful)
I don't like the sound of this:
This clause seems to indicate that no open source projects are going to benefit from this `advanced notification' scheme. Since patches to open source code are, well, open source, they'd be construed as revealing the nature of the vulnerability, and so 3com won't release the vulnerability information. I really don't like the fact that this clause seems to be giving closed-source products and vendors a leg up when it comes to security notifications.
Re:Simple solution (Score:3, Insightful)
Your white hat professionals may have taken a class, been taught by a friend, employers, etc, but most of those people will never match up to the teenager to took it upon himself to learn the details of how to enter a system. Thats the difference between having just a 'job', and having a great passion for what you do.