3Com’s bounty hunter-esque reward program has been blasted by industry experts for being not quite as well-intentioned as first thought.
The company hit headlines over the last week with its scheme for rewarding security researchers who find software vulnerabilities.
But the scheme, although sold as generosity, gives the company a major advantage over its competitors by allowing them to update their products to fix bugs before the rest of the market knows about them. "It's not quite so altruistic as they claim," said Jon Collins, principal analyst at Quocirca. "And with this particular scheme, it might be a case of being careful what you wish for."
Collins argues that currently researchers look for vulnerabilities in a relatively narrow field of products. This scheme could unveil the relative insecurity of a number of other products by encouraging people to look further afield in order to get their bounty.
3Com hit back claiming that the scheme will benefit the industry as a whole and that it has a history of magnanimity.
"In February we set up the VoIP Security Alliance and that's been a major success," said a company spokeswoman. "What we're doing is preventing the scrambling by vendors every time a vulnerability in announced to the public."
In response to the 3Com scheme iDefense, recently acquired by Verisign has upped the ante by increasing the value of its own vulnerability bounty scheme. The spokeswoman said 3Com does not yet consider it, or other potential schemes, a threat.