3Com to Buy Security Flaws? 105
Zonoprh writes "CNET reports that 3Com's TippingPoint division is starting a pay-for-vulnerability program called the Zero Day Initiative. It seems 3Com plans to use the vulnerabilities they purchase to fuel signatures in their protection technologies, in addition to sharing the same data with other security vendors. From the article, "Money has increasingly become an incentive for hackers. Program's such as TippingPoint's offer a legitimate way for them to get paid for their bug hunting. There is also an underground market for vulnerabilities. Cybercriminals pay top dollar for previously undisclosed flaws that they can then exploit to break into computer systems, experts have said.""
Good idea (Score:5, Interesting)
So they buy the vulnaribilities (Score:3, Interesting)
1. 3-com makes an offer and the researcher (nice name for a change) accepts it, and keeps his mouth closed.
2. Another researcher (who wishes to stay anonymous) already submitted this bug
It would be nice if they said like how much the bases is what they are willing to pay, and that you can look in the bug database (probably just on some kind of specific property so you can recognize the bug).
However I do like the ZDI platinum bonus: Blackhat training in Las Vegas (with the $20.000 bonus, should be a good few days (-: )
SunOS - Solaris (Score:3, Interesting)
IIRC, Sun did this with the early versions of Solaris. The transtion from SunOS to Solaris was really painful, especially wrt. SunOS binary compatibility. Now that I think about it, it could have just been a bounty on compatibility problems.
Are they building up Intellectual Property (Score:4, Interesting)
Worse yet (Score:4, Interesting)
Re:Simple solution (Score:4, Interesting)
Brazen, fearless and with a personality to charm the socks right off of you, if he had stuck to cons he might well never have been caught (bad paper leaves a paper trail). Having once caught him keeping him caught proved to be a bit of a problem and on one occasion he simply talked his way out of prison
It isn't listed in his IMDB entry (which he has by virtue of being the author of Catch Me if You Can), but he once made an appearance on The Tonight Show with Johnny Carson and so impressed me that it is one of the few Tonight Show interviews that has always stuck with me.
I haven't read the book, so it may well be the blurb that is at fault, but certain discrepencies between the book blurb at Amazon and things he said in that interview suggest to me that he's never really given up the con game and we'll never know what is the truth and what is the self generated myth about him.
He should have gone into politics.
KFG
Re:Good idea (Score:2, Interesting)
If I remember correctly they offered $500 for each security flaw in the mozilla browser or something.
Money where their mouth is (Score:2, Interesting)
Danegeld? (Score:3, Interesting)
(worked for a time, anyway).
Chip H.
Re:Good idea (Score:3, Interesting)
Speaking out of experience. The company I used to work for reported to them a serious security flaw on their switches in 1998 and as a result I ended up filling the boot of a midsize station wagon with kit. The 3Com country rep opened the storage room with the demo gear and told the beancounters who had some objections to shut up. Some of it was new, some of it bargain bin age and quality. Considering that the cost was 0 we did not really care. Most of it got used. They also gave us some better then "normal" discounts from there on purchases.
More likely scenario... (Score:1, Interesting)
1) Some hackerpunk writes the new and improved FloobleSchnork worm, which attacks, crashes and spreads thru Cisco switches and routers running IOS.
2) 3Com buys the intellectual property of this worm from the hackerpunk and develops a solution to defend against it.
3) 3Com, of course, patents the holy crap out of their solution in such a matter so that nobody else can implement any form of solution whatsoever to defend against the worm. The USPTO, in their brilliant wisdom, grants the patent in the time it takes for your average bureaucrat to rubber-stamp a sheet of paper without reading it.
4) ??? *
5) Profit!!!
* Where the mystery "???" step is either (A) Cisco tries to write a fix into their IOS and 3Com sues them for patent infringement or (B) Cisco just caves in and licenses the patented technology from 3Com. Either way, step #5 still produces 3Com's desired end-result.