News 

3Com-owned TippingPoint says its Zero Day Initiative (ZDI) will reward security researchers for telling it of security gaffes they come across, rather than making them public.

Publicising flaws in software before the software vendor has time to research and fix the holes can mean that exploit code is assembled before users are protected - a zero-day attack.

There are many reasons why a researcher would want to tell the world of their discovery. Sometimes it's a kudos of being first at the crime scene, other times it can be simply because the vendor concerned has not responded to the threat.

The generally agreed period given to vendors in which to fix a hole, once notified, is two months. eEye Digital publishes a list of vulnerabilities it knows of, along with the length of time affected vendors take to offer a patch.

Right now the list details a problem in Windows, IE and Outlook, which could allow remote execution of code that remains unaddressed four months since notifying Microsoft. Researchers understandably become frustrated at such a situation, as without a fix, they may be vulnerable, and one of the most highly targeted networks are those of security companies.

TippingPoint's ZDI is banking on the lure of cold cash to prevent frustrated or vanity-stricken researchers publicising their findings.

ADVERTISEMENT

But it also serves the company with some great marketing spin. If it takes off, TippingPoint will ensure it gets news of vulnerabilities first, and can claim to protect its customers earlier.

However, eEye Digital Security describes the TippingPoint's scheme thus: 'Upon closer investigation, one will find that 3Com's vulnerability purchase programme is an attempt to quickly bridge the knowledge gap that exists between themselves and other more successful vulnerability research teams.'

TippingPoint says it will freely share information it receives with other security vendors. But a spokesperson for eEye Digital Security told us that while details of new viruses may be shared around the antivirus industry once discovered, within security research things are quite different.

Like TippingPoint, eEye Digital Security notifies the vendor concerned of any flaws found, but no-one else. And details of the flaw are only made public once a fix is available and on agreement of both parties.

The other question remains as to what kind of researchers TippingPoint is trying to attract here. It seems unlikely that a respected security company would allow staff in its research labs to send discoveries off to TippingPoint so that they could collect a £3,000 cheque.

'Independent' is how TippingPoint describes them, and its scheme operates bizarrely like a Tesco card in reverse: the more vulnerability submissions it buys from you, the more points you earn. These points add up over the year to decide which level you attain and affects the bonuses and rewards available in the subsequent year.

Could this lead to a boom market of freelance security research bounty hunters? Given that TippingPoint suggests $5,000 as a fee it would pay for a submission, maybe so. Successfully submit 20 flaws and you have a six figure salary. TippingPoint's top figure is pegged at $20,000 per flaw.

Even a far more modest figure would go a long way in, say, China or India, both of which have a vast and able army of IT experts.

Now, that's outsourcing.