3Com offers reward for access to undisclosed security flaws

LAS VEGAS?3Com Corp. has entered the evolving market in undisclosed security flaws with a program to pay for exclusive access to information about new vulnerabilities.

The Santa Clara, Calif., company announced its Zero Day Initiative this week at the Black Hat Briefings. It is using the IT security conference to court hackers and security researchers for the program.

"We are rewarding researchers for bringing their vulnerability disclosures to 3Com," said David Endler, director of security research for the company's Tipping Point division. The company, however, will not disclose the prices being offered for vulnerabilities.

3Com is not the first company to offer cash for security information. The security intelligence company iDefense Inc. of Reston, Va., established its Vulnerability Contributor Program three years ago and paid for more than 200 otherwise undisclosed vulnerabilities during the first year. The company considers the money well spent, giving it a competitive advantage in protecting its customers.

But the practice of a company paying to secure exclusive access to vulnerabilities that could affect millions of users remains controversial.

Endler described the program as an effort to bring order to a chaotic system in which security vulnerabilities can be disclosed before software patches are available to correct them or before users have had a chance to install patches. Such Zero Day vulnerabilities leave network operators and computer users susceptible to hackers using malicious code to exploit the vulnerabilities.

A consensus has developed in recent years among security researchers, software vendors and computer emergency response organizations that vendors should be given the opportunity to patch a vulnerability before it is publicized. But black hat hackers and an underground market for security information that can be exploited for criminal gain undermine this process.

"We are competing with organized crime," Endler said.

3Com has established a Web portal to solicit submissions. The initiative operates similarly to iDefense's program. After a vulnerability has been submitted and is verified by the company's researchers, a price is negotiated for exclusive rights to the information. Both iDefense and Tipping Point notify the vendor of the affected software and work out a timetable for when a patch will be ready and the vulnerability publicly disclosed. In the meantime, each company protects its own customers exclusively.

Customers of iDefense have nondisclosure agreements prohibiting them from discussing information about new vulnerabilities. Filters to protect Tipping Point customers will be distributed through its Digital Vaccine service.

"Our customers are being protected from threats they don't even know about," Endler said.

Tipping Point says a distinguishing feature of its program is that it will give competing security companies advance notice of vulnerabilities one day before their public disclosure.

"Software vendors understand that this is a landscape in which some people are not coming to them with information about vulnerabilities for one reason or another," Endler said. "We are providing an incentive so they can get the information free. It's a win-win situation."

William Jackson is a staff writer for Washington Technology's sister publication, Government Computer News.