3Com to Buy Security Flaws?

Zonoprh writes "CNET reports that 3Com's TippingPoint division is starting a pay-for-vulnerability program called the Zero Day Initiative. It seems 3Com plans to use the vulnerabilities they purchase to fuel signatures in their protection technologies, in addition to sharing the same data with other security vendors. From the article, "Money has increasingly become an incentive for hackers. Program's such as TippingPoint's offer a legitimate way for them to get paid for their bug hunting. There is also an underground market for vulnerabilities. Cybercriminals pay top dollar for previously undisclosed flaws that they can then exploit to break into computer systems, experts have said.""

Good idea

[dmurray14]

Much better way to deal with bugs, I'm surprised no one thought about this before. I guess the real test will be to see how they deal with the bugs they "buy"

Re:Good idea

[idokus]

I thought mozilla already has done this, it was a while ago, (think around 2001 or 2002, but that's just a hunch).
If I remember correctly they offered $500 for each security flaw in the mozilla browser or something.

Re:Good idea

[arivanov]

3Com has a long history of it.

Speaking out of experience. The company I used to work for reported to them a serious security flaw on their switches in 1998 and as a result I ended up filling the boot of a midsize station wagon with kit. The 3Com country rep opened the storage room with the demo gear and told the beancounters who had some objections to shut up. Some of it was new, some of it bargain bin age and quality. Considering that the cost was 0 we did not really care. Most of it got used. They also gave us some better then "normal" discounts from there on purchases.

So they buy the vulnaribilities

[jurt1235]

And have a great bonus program which will pay you a nice bonus, but what they fail to mention is how much a vulnarability is worth. They have all what it needs here just to screw you with:
1. 3-com makes an offer and the researcher (nice name for a change) accepts it, and keeps his mouth closed.
2. Another researcher (who wishes to stay anonymous) already submitted this bug
It would be nice if they said like how much the bases is what they are willing to pay, and that you can look in the bug database (probably just on some kind of specific property so you can recognize the bug).

However I do like the ZDI platinum bonus: Blackhat training in Las Vegas (with the $20.000 bonus, should be a good few days (-: )

SunOS - Solaris

[bsd4me]

IIRC, Sun did this with the early versions of Solaris. The transtion from SunOS to Solaris was really painful, especially wrt. SunOS binary compatibility. Now that I think about it, it could have just been a bounty on compatibility problems.

Are they building up Intellectual Property

[uid000]

If they "buy" a software vulnerability, and build a signature for it, will somebody else who builds a signature (e.g., snort) for it be violating some IP right like copyright or patent?

Worse yet

[infonography]

The issue is that if you get paid for finding a flaw, you could get sued for it and there is a nice money trail back to you. 3Com makes no pretense at anonymity or grants any immunity from liablity. While I admit that's not likely, they would sue 3Com first and name you as a co-defendant, your still in it with them. This has happened in the past, I see no reason it's not gonna happen again.

Re:Simple solution

[kfg]

Frank Abagnale was the Kevin Mitnick of his time, and although he was a master counterfeiter his chief skill was in "social engineering."

Brazen, fearless and with a personality to charm the socks right off of you, if he had stuck to cons he might well never have been caught (bad paper leaves a paper trail). Having once caught him keeping him caught proved to be a bit of a problem and on one occasion he simply talked his way out of prison

It isn't listed in his IMDB entry (which he has by virtue of being the author of Catch Me if You Can), but he once made an appearance on The Tonight Show with Johnny Carson and so impressed me that it is one of the few Tonight Show interviews that has always stuck with me.

I haven't read the book, so it may well be the blurb that is at fault, but certain discrepencies between the book blurb at Amazon and things he said in that interview suggest to me that he's never really given up the con game and we'll never know what is the truth and what is the self generated myth about him.

He should have gone into politics.

KFG

Money where their mouth is

[B11]

A lot of hackers will have to put their money where mouth is. A hear a lot of even "black hats" say they do it for sport, for money, etc., but not maliciously. This provides them an outlet to safely do so, let's see if they bite.

Danegeld?

[chiph]

Isn't this similar to the Danegeld that the English used to pay to the Vikings, to keep them from pillaging their towns & burning their crops?
(worked for a time, anyway).

Chip H.

More likely scenario...

Hypothetical situation here:

1) Some hackerpunk writes the new and improved FloobleSchnork worm, which attacks, crashes and spreads thru Cisco switches and routers running IOS.

2) 3Com buys the intellectual property of this worm from the hackerpunk and develops a solution to defend against it.

3) 3Com, of course, patents the holy crap out of their solution in such a matter so that nobody else can implement any form of solution whatsoever to defend against the worm. The USPTO, in their brilliant wisdom, grants the patent in the time it takes for your average bureaucrat to rubber-stamp a sheet of paper without reading it.

4) ??? *

5) Profit!!!

* Where the mystery "???" step is either (A) Cisco tries to write a fix into their IOS and 3Com sues them for patent infringement or (B) Cisco just caves in and licenses the patented technology from 3Com. Either way, step #5 still produces 3Com's desired end-result.