3Com Pays Up for Vulnerability Data

A new program from 3Com will pay security researchers for information on software vulnerabilities.

A new program from 3Com Corp. will pay security researchers for information on software vulnerabilities.

3Com and its TippingPoint division announced the ZDI (Zero Day Initiative) this week. The program will pay researchers cash for data on vulnerabilities, which 3Com will pass along to affected vendors and use to beef up protections through its TippingPoint Digital Vaccine service, the company said.

In exchange for money, security researchers who report a hole will sign a confidentiality agreement, promising not to disclose information about the security vulnerability until 3Com has publicized it.

Beginning this week, security researchers can enroll in the program via a 3Com Web portal. Starting next month, researchers can use the portal to submit vulnerability information, which 3Com researchers will validate, and to monitor the status of vulnerabilities they have submitted.

3Com will use the Black Hat Briefings conference in Las Vegas this week to enlist participants from the audience of hackers and computer security experts.

3Com would not say how much it plans to pay researchers, but the price it is willing to pay for vulnerability information will vary depending on the severity of the security hole, said Dave Endler, director of research at 3Coms TippingPoint division, in Austin, Texas. The ubiquity of the platform affected by the vulnerability, whether the hole is exploitable remotely and how much access it gives to vulnerable systems all influence the price 3Com will pay.

3Com will notify affected vendors of security flaws when it receives information about a security hole and then work with the vendors to make sure a patch is issued.

Marc Maiffret, chief hacking officer at eEye Digital Security Inc., in Aliso Viejo, Calif., a company that makes software vulnerability management technology, said that "pay for vulnerability" programs give security researchers an easy outlet for security intelligence they uncover.

"If youre an individual, its not worth the time and effort to work with Microsoft [Corp.] for a year [to issue a patch]," Maiffret said. "Its too much work for a sensible person to want to deal with."


Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.