Slashdot Mirror

← Back to Stories (view on slashdot.org)

3Com to Buy Security Flaws?

Posted by Hemos on from the trying-new-models dept.

Zonoprh writes "CNET reports that 3Com's TippingPoint division is starting a pay-for-vulnerability program called the Zero Day Initiative. It seems 3Com plans to use the vulnerabilities they purchase to fuel signatures in their protection technologies, in addition to sharing the same data with other security vendors. From the article, "Money has increasingly become an incentive for hackers. Program's such as TippingPoint's offer a legitimate way for them to get paid for their bug hunting. There is also an underground market for vulnerabilities. Cybercriminals pay top dollar for previously undisclosed flaws that they can then exploit to break into computer systems, experts have said.""

9 of 105 comments (clear)

  1. "Will deal only with reputable researchers" by xmas2003 · · Score: 5, Insightful
    From the article: Bugs can be reported to TippingPoint through the Zero Day Initiative Web site. TippingPoint investigates all reports and will deal only with reputable researchers, Endler said. "We need to know exactly who we are working with," he said. "We don't want to work with black hats or illegal groups." The term "black hat" is used to describe criminal hackers.

    So I gotta wonder how they are gonna determine who is reputable and who is not ...

    --
    Hulk SMASH Celiac Disease
    1. Re:"Will deal only with reputable researchers" by }InFuZeD{ · · Score: 3, Insightful

      Well... I imagine if they offer X ammount of dollars per flaw in a certain system and the person asks for more money, then they aren't reputable. If a "researcher" was previously getting no money for the bugs they found, they'd probablytake the little money they can get (I'm guessing TippingPoint won't be giving out a whole lot). If they're actually selling the thing to the highest bidder, I'm guessing TP isn't going to join in the bidding.

    2. Re:"Will deal only with reputable researchers" by cnettel · · Score: 4, Insightful
      Well, for a start, it could indicate that they won't be making any anonymous payments, or payments through proxies.

      Give us your identity, and your bug, we give you the money. Sounds fair.

  2. Simple solution by Sierpinski · · Score: 4, Insightful

    If someone is able to break into your system offer to pay them to keep it secure from others like themselves.

    What was the famous counterfeiters name that the FBI hired to spot fakes? He was the basis for the movie 'Catch me if you Can'.

    Allow them to use their powers for good, because if you don't, they will continue to use their powers, in whichever direction (good or bad) that they can. The big companies might as well use them as a tool (and pay them) to create/maintain better secured software.

    --
    And they said zombies weren't real!
  3. Clearing house for bugs Nice idea however by infonography · · Score: 5, Insightful

    They don't share the info on the exploits. With CERT the bug is known even if crucial details are not. With 3Com, it's a murky secret. According to their own data they will sit on them until they have notified every security company first. Only then will they tell the public putting everybody at risk. Worst yet from a business standpoint they can pay of a exploit only to have somebody else notify the world the next day. That's money lost. Unless they want to go an copyright the exploit they are assed out.

    --
    Sorry about the writing. Robot fingers, you know? Cliff Steele in DOOM PATROL #23
  4. So to summarize by Rosco+P.+Coltrane · · Score: 3, Insightful

    3Com gets paid to alert its customers of vulnerabilities in near-real-time. Which means, more vulnerabilities fixed == less $$$ for them over time.

    Hmmm, great business model...

    --
    "A door is what a dog is perpetually on the wrong side of" - Ogden Nash
  5. DIY funding by James+McGuigan · · Score: 5, Insightful

    How long till someone finds a security flaw in 3com's online payment system and assigns themselves a financial reward for discovering the security flaw.

  6. yes, it worked for me... by scotty777 · · Score: 3, Insightful

    20 years ago I wrote a security system, and offered the staff a free lunch if they could find any "undocumented behavior". It's a quick and cheap way to build confidence. I had a couple of takers, but both quit their spiel while they were laying out their case... Seem they didn't RTFM! ; )

  7. No `advanced notice' for open source code? by shadowspar · · Score: 3, Insightful

    I don't like the sound of this:

    What types of security vendors are eligible for the advanced notice?

    In order to qualify for advanced notice, the security vendors must be in a position to remediate or provide protection of vulnerabilities with their solution, while not revealing details of the vulnerability itself to customers. The security vendor's product must also be resistant to discovery of the vulnerability through trivial reverse engineering. An example of such a vendor would be an Intrusion Prevention System, Intrusion Detection System, Vulnerability Scanner or Vulnerability Management System vendor.

    This clause seems to indicate that no open source projects are going to benefit from this `advanced notification' scheme. Since patches to open source code are, well, open source, they'd be construed as revealing the nature of the vulnerability, and so 3com won't release the vulnerability information. I really don't like the fact that this clause seems to be giving closed-source products and vendors a leg up when it comes to security notifications.

    --

    There is a spellbook here; eat it? [ynq]