Forgot your password?
typodupeerror
Security IT

3Com to Buy Security Flaws? 105

Posted by Hemos
from the trying-new-models dept.
Zonoprh writes "CNET reports that 3Com's TippingPoint division is starting a pay-for-vulnerability program called the Zero Day Initiative. It seems 3Com plans to use the vulnerabilities they purchase to fuel signatures in their protection technologies, in addition to sharing the same data with other security vendors. From the article, "Money has increasingly become an incentive for hackers. Program's such as TippingPoint's offer a legitimate way for them to get paid for their bug hunting. There is also an underground market for vulnerabilities. Cybercriminals pay top dollar for previously undisclosed flaws that they can then exploit to break into computer systems, experts have said.""
This discussion has been archived. No new comments can be posted.

3Com to Buy Security Flaws?

Comments Filter:
  • by xmas2003 (739875) * on Monday July 25, 2005 @10:18AM (#13155934) Homepage
    From the article: Bugs can be reported to TippingPoint through the Zero Day Initiative Web site. TippingPoint investigates all reports and will deal only with reputable researchers, Endler said. "We need to know exactly who we are working with," he said. "We don't want to work with black hats or illegal groups." The term "black hat" is used to describe criminal hackers.

    So I gotta wonder how they are gonna determine who is reputable and who is not ...

  • Good idea (Score:5, Interesting)

    by dmurray14 (899569) on Monday July 25, 2005 @10:18AM (#13155939)
    Much better way to deal with bugs, I'm surprised no one thought about this before. I guess the real test will be to see how they deal with the bugs they "buy"
    • SunOS - Solaris (Score:3, Interesting)

      by bsd4me (759597)

      IIRC, Sun did this with the early versions of Solaris. The transtion from SunOS to Solaris was really painful, especially wrt. SunOS binary compatibility. Now that I think about it, it could have just been a bounty on compatibility problems.

    • by scotty777 (681923) on Monday July 25, 2005 @10:46AM (#13156205) Journal
      20 years ago I wrote a security system, and offered the staff a free lunch if they could find any "undocumented behavior". It's a quick and cheap way to build confidence. I had a couple of takers, but both quit their spiel while they were laying out their case... Seem they didn't RTFM! ; )
    • Re:Good idea (Score:2, Interesting)

      by idokus (902277)
      I thought mozilla already has done this, it was a while ago, (think around 2001 or 2002, but that's just a hunch).
      If I remember correctly they offered $500 for each security flaw in the mozilla browser or something.
    • Re:Good idea (Score:3, Interesting)

      by arivanov (12034)
      3Com has a long history of it.

      Speaking out of experience. The company I used to work for reported to them a serious security flaw on their switches in 1998 and as a result I ended up filling the boot of a midsize station wagon with kit. The 3Com country rep opened the storage room with the demo gear and told the beancounters who had some objections to shut up. Some of it was new, some of it bargain bin age and quality. Considering that the cost was 0 we did not really care. Most of it got used. They also
    • Knuth will pay you if you find a bug in either his books or Tex. Its a pittiance, but a nice geek showpiece if you get one, I'd suggest framing it. And no, I am not cool enough to have earned one. :(
      • It's $2.56 (a hexadecimal dollar) if you find a new bug in TAOCP. I don't think he's paying for bug hunting in TeX anymore, since he's not really involved with TeX anymore. He has a nice signature. Not that I have one either.
  • Wow (Score:4, Funny)

    by truckaxle (883149) on Monday July 25, 2005 @10:19AM (#13155944) Homepage
    I knew 3COM was big, but big enough to buy Microsoft? Wow!
  • Simple solution (Score:5, Insightful)

    by Sierpinski (266120) on Monday July 25, 2005 @10:21AM (#13155970)
    If someone is able to break into your system offer to pay them to keep it secure from others like themselves.

    What was the famous counterfeiters name that the FBI hired to spot fakes? He was the basis for the movie 'Catch me if you Can'.

    Allow them to use their powers for good, because if you don't, they will continue to use their powers, in whichever direction (good or bad) that they can. The big companies might as well use them as a tool (and pay them) to create/maintain better secured software.
    • Re:Simple solution (Score:3, Insightful)

      by myspys (204685)
      Frank Abagnale Jr [crimelibrary.com] is the man you're looking for!
    • Re:Simple solution (Score:4, Interesting)

      by kfg (145172) on Monday July 25, 2005 @11:35AM (#13156605)
      Frank Abagnale was the Kevin Mitnick of his time, and although he was a master counterfeiter his chief skill was in "social engineering."

      Brazen, fearless and with a personality to charm the socks right off of you, if he had stuck to cons he might well never have been caught (bad paper leaves a paper trail). Having once caught him keeping him caught proved to be a bit of a problem and on one occasion he simply talked his way out of prison

      It isn't listed in his IMDB entry (which he has by virtue of being the author of Catch Me if You Can), but he once made an appearance on The Tonight Show with Johnny Carson and so impressed me that it is one of the few Tonight Show interviews that has always stuck with me.

      I haven't read the book, so it may well be the blurb that is at fault, but certain discrepencies between the book blurb at Amazon and things he said in that interview suggest to me that he's never really given up the con game and we'll never know what is the truth and what is the self generated myth about him.

      He should have gone into politics.

      KFG
    • Re:Simple solution (Score:3, Insightful)

      by paranode (671698)
      Legitimized extortion? I think the companies that would hire a criminal to secure their network and put full faith in him not to abuse the data he has access to are few, far between, and frankly a little nutty. It's just a publicity stunt when a company does this. There are a lot of very qualified white hat experts with a long resume of experience and referrals that are a lot more trustworthy and probably more knowledgeable than the kid from Finland who used his l33t skillz to run his script from IRC aga
      • Re:Simple solution (Score:3, Insightful)

        by Sierpinski (266120)
        You must not get out much. This type of thing happens, and in my opinion makes perfect sense. Who better to secure your network than the person who got in? Calling these guys criminals (now I'm talking about the ones who actually do nothing malicious OTHER than enter a system that they do not own) is a social thing, not necessarily an ethical one. (I wont get into the debate about whether or not someone can walk into your house because the door is open, blah blah blah) but not only would these companies all
        • Sounds like you just have an overblown sense of glorious admiration for teenage miscreants.

          If I knew a company I did business with was using some kid who breaks into other people's systems for fun to safeguard my personal data, I would quit doing business with said company. It's one thing to hire them as a contracted penetration tester, it's an entirely different thing to hire them full time to guard your sensitive data. Maybe you were referring to the former, in which case I can agree with you.

  • by infonography (566403) on Monday July 25, 2005 @10:24AM (#13155994) Homepage
    They don't share the info on the exploits. With CERT the bug is known even if crucial details are not. With 3Com, it's a murky secret. According to their own data they will sit on them until they have notified every security company first. Only then will they tell the public putting everybody at risk. Worst yet from a business standpoint they can pay of a exploit only to have somebody else notify the world the next day. That's money lost. Unless they want to go an copyright the exploit they are assed out.
    • Worse yet (Score:4, Interesting)

      by infonography (566403) on Monday July 25, 2005 @10:59AM (#13156302) Homepage
      The issue is that if you get paid for finding a flaw, you could get sued for it and there is a nice money trail back to you. 3Com makes no pretense at anonymity or grants any immunity from liablity. While I admit that's not likely, they would sue 3Com first and name you as a co-defendant, your still in it with them. This has happened in the past, I see no reason it's not gonna happen again.
    • they can pay of a exploit only to have somebody else notify the world the next day. That's money lost.

      With any bug submitted we *could* see an announcement a day later (or whenever the check clears), but remember that 3Com says they're only gonna accept submissions from reputable sources. I bet that leaking information would kind of mark you as disreputable.

      In any case, let's say we have a 24 hour time lag from when some guy submits it and he publicly announces it. It's still gonna take more time for wor
    • That _Chocolypse Now_ link from your .sig gave me Chuckles ;).
  • So to summarize (Score:4, Insightful)

    by Rosco P. Coltrane (209368) on Monday July 25, 2005 @10:25AM (#13156009)
    3Com gets paid to alert its customers of vulnerabilities in near-real-time. Which means, more vulnerabilities fixed == less $$$ for them over time.

    Hmmm, great business model...
    • Re:So to summarize (Score:3, Insightful)

      by I8TheWorm (645702) *
      Not really... now they're paying people to help them earn that money. Someone submits a vuln to 3Com, get's paid a few hundred or thousand dollars, and 3Com gets the many thousands they're already charging their customers. Then they work on a fix, and get some glory on the back end.

      Seems a pretty sound business model to me.
      • What I meant was, if their business model really works, they'll report vulns to their original "owners", the vulns will get fixed, and there will be less and less vulns to be rooted out, until eventually the money well is close to dry.
        • Sure, but in the time between that vuln being reported to 3Com and it being fixed by the company who owns the software, people still want to know about it. I think that window is where 3Com is looking for profit.
        • What I meant was, if their business model really works, they'll report vulns to their original "owners", the vulns will get fixed, and there will be less and less vulns to be rooted out, until eventually the money well is close to dry.
          Nah. There will still be plenty of vulns in software until developer organizations start to make secure coding a priority. Even then, there will still be security problems made by well meaning people.
          In addition, there will always be unpatched systems for whatever reason
    • Doubtful there will be any shortage of vulnerabilities for a while.
  • Did it really say that a vulnerability detection company was going to pay people to create/discover vulnerabilities so they could be detected???

    This reminds me of mob "insurance".
    "You know, if you don't pay us to protect you, something bad could happen to you."

    Anyone else see a moral issue here?

    • Your post makes no sense: what does "pay people to create/discover vulnerabilities so they can be detected" mean? Have you RTFA?

      Secondly, there is no mob insurance: 3com won't crash non-subscribers' computers after making threats, they'll tip people who discover already existing vulnerabilities, and get money from other people to tell them early about them. Take your tinfoil hat off already, gee...
      • And you don't think that these vulnerabilities, once discovered, thanks to the incentive program, will make it into the wild?
        And you think that 3Com will share the details (early) with their competitors so that their customers can be protected too?
        No, I think we're on the way to having "exclusive" vulnerability protections.
        • And you don't think that these vulnerabilities, once discovered, thanks to the incentive program, will make it into the wild?

          And who would leak them? 3Com? if they did, they'd quickly get sued, or their program would go bust.

          And you think that 3Com will share the details (early) with their competitors so that their customers can be protected too?

          Again, if they discriminate against their competitors, it'll be noticed very quickly and the program will lose credibility.

          No, I think we're on the way to h
    • Did it really say "0-day Initiative"?

      That's like AOL founding the "^_^Rofloffle Institute for Instant Message Research".
    • by Anonymous Coward
      Hypothetical situation here:

      1) Some hackerpunk writes the new and improved FloobleSchnork worm, which attacks, crashes and spreads thru Cisco switches and routers running IOS.

      2) 3Com buys the intellectual property of this worm from the hackerpunk and develops a solution to defend against it.

      3) 3Com, of course, patents the holy crap out of their solution in such a matter so that nobody else can implement any form of solution whatsoever to defend against the worm. The USPTO, in their brilliant wisdom, gran
  • by jurt1235 (834677) on Monday July 25, 2005 @10:29AM (#13156038) Homepage
    And have a great bonus program which will pay you a nice bonus, but what they fail to mention is how much a vulnarability is worth. They have all what it needs here just to screw you with:
    1. 3-com makes an offer and the researcher (nice name for a change) accepts it, and keeps his mouth closed.
    2. Another researcher (who wishes to stay anonymous) already submitted this bug
    It would be nice if they said like how much the bases is what they are willing to pay, and that you can look in the bug database (probably just on some kind of specific property so you can recognize the bug).

    However I do like the ZDI platinum bonus: Blackhat training in Las Vegas (with the $20.000 bonus, should be a good few days (-: )
  • DIY funding (Score:5, Insightful)

    by James McGuigan (852772) on Monday July 25, 2005 @10:33AM (#13156081) Homepage
    How long till someone finds a security flaw in 3com's online payment system and assigns themselves a financial reward for discovering the security flaw.
  • by jurt1235 (834677) on Monday July 25, 2005 @10:35AM (#13156093) Homepage
    If Microsoft would do this, they would go broke (-:
    • 1. Deleberatly create security flaw in Windows
      2. Notify 3com of security flaw
      3. Wait 5 working days
      4. Profit
      • An interesting conspiracy theory, here is another one:

        1) Deliberately create security flaw in Windows.
        2) Break into government and competitors systems.
        3) ???
        4) Profit!

        But more likely the security errors they make are purely accidental. Microsoft do use some rotten business tactics occasionally, but I'm sure they wouldn't go as far as to deliberately make it easy to compromise Windows. If they were breaking the law in this way and got caught, it would do their reputation a lot of damage.

        Writing secure sof
    • Nah, they'd simply give you a free copy of Windows as your commission, hell, they can buy off the EU with it, it's good enough for you!
  • So will they credit the bug hunters or they will treat them as their workers. Sharing information is good move but isn't that a marketting strategy that will make people think like 'Look 3com is the first to find vulnerabilities from all that reports'.
    • Well, it is for accreditted researchers only. The point is, if I am a researcher, I will most likely find this bug during working hours, so the bonus will go to my employer, or he will wonder what I have been doing, or why 3com pays me. With a bit of luck I will be able to go to the Vegas Blackhat training, but most likely my boss will go.

      They need to expand the program already to involve the white hat community (at least).
  • by uid000 (895926) on Monday July 25, 2005 @10:51AM (#13156244)
    If they "buy" a software vulnerability, and build a signature for it, will somebody else who builds a signature (e.g., snort) for it be violating some IP right like copyright or patent?
    • by Anonymous Coward
      The answer is no.

      From their FAQ (http://www.zerodayinitiative.com/faq.html [zerodayinitiative.com]):

      Why are you giving advance notice of the vulnerability information you've bought to other security vendors, including competitors?

      We are sharing with other security vendors in an effort to do the most good with the information we have acquired. We feel we can still maintain a competitive advantage with respect to our customers while facilitating the protection of a customer base larger than our own.
      • >in an effort to do the most good with the information we have acquired Not to be cynical, but I believe that will only apply so far as they are profiting from this program. If this starts to turn into a money loser, any policy that might be costing them a competitive advantage while only gaining them an improved community image will probably be the first to go.
  • Will they be able to match what the underground organizations' that they are trying to compete w/ - buck for buck - for the love of a black-hat?

    Once you've stolen a couple of thousand credit card numbers, you can quite easily buy vulnerabilities - because no one's really accountable to the money you spend.

    Companys such 3Com on the other hand have limited budgets, albeit big budgets but limited none the less. How will 3Com explain it to their customers and shareholders when a hacker sells a vulnerabil

    • Because it is *legal* money, requiring no fencing, no laundering, and above all providing no legal risk to the individual finding the vulnerability.

      And if you discover a pattern in one of your suppliers wherein a vulnerability they sell you always shows up with the blackhat organizations at the same time... well, that's why you required traceable identity information before you paid them.

      The law, in this case, acts as the stick. Money, as always, is the carrot.
  • by SkjeggApe (649721) on Monday July 25, 2005 @11:00AM (#13156320)
    Step 1: Create popular, mission critical software that every business will want to install
    Step 2: Insert sneaky vulnerabilities
    Step 3: Sell bugs to 3COM
    Step 4: PROFIT!!!!
  • by B11 (894359)
    A lot of hackers will have to put their money where mouth is. A hear a lot of even "black hats" say they do it for sport, for money, etc., but not maliciously. This provides them an outlet to safely do so, let's see if they bite.
  • by confusion (14388) on Monday July 25, 2005 @12:37PM (#13157129) Homepage
    On one hand, this bounty will motivate "hackers" to disclose vuln's to 3com, who then will work with the vendor to fix the problem - and make themselves look good in the process - which means there is a legitimate way for some of these people to make real money off of their discoveries instead of turning them into worms or viruses.
    And on the other hand, there is a lot of potential for abuse. We could see vulnerability stuffing in open source to get a kick-back (I know it's hard to believe it could happen, but remember - there is money involved), we could see 3com dissing people on the bounty checks which could motivate the hacker to turn the vuln into a worm more quickly to get back at 3com and then there is just the fundamental philosophy that 3com is rewarding someone for doing something bad.

    We're going to have to wait to see how this plays out over time. It doesn't seem like a good idea to me, but then 3com has to be able to compete with the big boys now that they own Tipping Point.

    Jerry
    http://www.cyvin.org/ [cyvin.org]
  • Maybe I could patent a vulnerability, then sell the patent to SCO.
  • Danegeld? (Score:3, Interesting)

    by chiph (523845) on Monday July 25, 2005 @01:07PM (#13157447)
    Isn't this similar to the Danegeld [wikipedia.org] that the English used to pay to the Vikings, to keep them from pillaging their towns & burning their crops?
    (worked for a time, anyway).

    Chip H.
  • by shadowspar (59136) on Monday July 25, 2005 @01:12PM (#13157498) Homepage

    I don't like the sound of this:

    What types of security vendors are eligible for the advanced notice?

    In order to qualify for advanced notice, the security vendors must be in a position to remediate or provide protection of vulnerabilities with their solution, while not revealing details of the vulnerability itself to customers. The security vendor's product must also be resistant to discovery of the vulnerability through trivial reverse engineering. An example of such a vendor would be an Intrusion Prevention System, Intrusion Detection System, Vulnerability Scanner or Vulnerability Management System vendor.

    This clause seems to indicate that no open source projects are going to benefit from this `advanced notification' scheme. Since patches to open source code are, well, open source, they'd be construed as revealing the nature of the vulnerability, and so 3com won't release the vulnerability information. I really don't like the fact that this clause seems to be giving closed-source products and vendors a leg up when it comes to security notifications.

  • The only way you can get all color hats to really use their talents to rip apart, test, and validate where holes are located is CASH! Maybe, just maybe some standards will evolve on how to properly design, write and test software prior to releasing it to the public. There is no excuse with the tools available today for some of this stuff to actually make it past a QA department evaluation. If companies want others to locate problems, there is no reason why those OTHERS should not be paid for their time a
  • So this is where pirates work for a living...
  • As far as I can tell, you submit the full details of the bug to 3com, including exploit code if available. They take a look at it, and decide if they'll offer you some money. If you decide you like the offer, you fill out a W-9 form (in the US), and they send you a check/paypal/whatever.

    Perhaps I'm just paranoid, but why would I send them the full details on an exploit without any guarantee back from them? If there was a way to negotiate a deal before providing them the code, it would be alluring, but bein

Machines certainly can solve problems, store information, correlate, and play games -- but not with pleasure. -- Leo Rosten

Working...