Less than two weeks after Gartner disparaged TippingPoint's connection to a flaw-finding contest at a recent IT security conference, Frost & Sullivan commended the organization for research leadership and market growth.

The consulting firm selected TippingPoint as the recipient of the 2007 Global Frost & Sullivan Award for Market Penetration Leadership in the vulnerability research market, the Palo Alto, Calif.-based organization announced today.

The award is based on a year of flaw research included in Frost analysis, according to a company statement.

Rob Ayoub, industry manager at Frost & Sullivan, told SCMagazine.com today that the award recognizes TippingPoint’s increase in discovered vulnerabilities from 2005 to 2006.

"With TippingPoint being such a focus point and part of 3Com, they have a lot of relationships and clout to work with that other vendors and researchers don’t have," he said. "Despite the controversy, I’d much rather see TippingPoint have a vulnerability than some guy in Romania have it for three months and not know about it."

TippingPoint touched off a responsible disclosure controversy last month when it paid $10,000 for a QuickTime vulnerability discovered by researcher Dino Dai Zovi during a "hack-a-Mac" contest at the CanSecWest conference in Vancouver, British Columbia.

The QuickTime flaw was not publicly exploited by the time it was patched by Apple on May 1, according to researchers.

Trivial user interaction is needed to exploit the flaw, vulnerable on Windows and Mac OS X operating systems.

Pedram Amini, manager of security research at TippingPoint, told SCMagazine.com today that he believes there is nothing unethical about buying vulnerabilities from non-affiliated researchers. He said the recognition from Frost & Sullivan is well deserved by the company’s researchers.

"It’s very encouraging, and [the period of time recognized by the award] was about the time I was brought on board when we made a conscious decision to bring a lot of the research in house," he said. "We really wanted to be a source of discoveries."

"I think it’s a testament to what we do and all of the late nights we spend working on auditing," he said.

Terri Forslof, manager of security response at TippingPoint, told SCMagazine.com today that vulnerability purchases allow her company to take advantage of a large talent base of independent researchers.

"A lot of our intention is to augment our own research. There are so many brilliant security researchers out there, and they’re located across the globe," she said.

Gartner researchers, however, were not impressed by TippingPoint’s decision to buy the QuickTime flaw. In a research note released earlier this month, analysts Rich Mogull and Greg Young concluded that the "QuickTime vulnerability exposed by the contest poses wide risk," and urged vendors to "consider ending public vulnerability marketing events, which may lead to unanticipated consequences that endanger IT users."

"Vulnerability research is an extremely valuable endeavor for ensuring more secure IT. However, conducting vulnerability research in a public venue is risky and could potentially lead to mishandling or treating too lightly these vulnerabilities – which can turn a well-intentioned action into a more ambiguous one, or inadvertently provide assistance to attackers," the researchers said.

Kris Lamb, director of X-Force Labs at IBM Internet Security Systems, told SCMagazine.com today that buying flaws from third-party researchers, instead of discovering them in-house, amounts to "buying a fake Rolex."

"I think we’ve been fairly direct about what our opinion is on what happened at CanSecWest, as well as the idea of a trusted security company participating in it and creating an unmanaged vulnerability discovery market out in the wild," he said. "We don’t believe that bug bounty programs benefit the industry, customers or the security community at large."

Read more about the QuickTime flaw controversy at SC Magazine Blogs.