In an effort to thwart zero-day attacks, 3Com is launching a program that rewards security researchers for finding vulnerabilities.
3Com’s Zero Day Initiative (ZDI) is designed to help ensure reasonable disclosure of vulnerabilites and improve security for end users and businesses, said David Endler, director of security research at 3Com’s Tipping Point division.
3Com defined zero-day vulnerabilites as ones that are either undisclosed but known, or ones that are publicly disclosed without a patch available.
“Essentially, what we’re trying to do is help mitigate the danger and exposure that is introduced when a zero-day vulnerability is publicly disclosed without going to the affected vendor,” he said.
“The initiative rewards researchers for bringing vulnerabilities through our program and ensures that product vendors will be notified.”
A researcher who uncovers a flaw can submit it on the ZDI portal, slated to go live in mid-August. 3com researchers will to verify the vulnerability, determine its severity and decides whether to make a monetary offer to the researcher.
Endler declined to disclose a price range for the rewards, saying only that 3Com is “investing what it needs to make this program a success.”
If a researcher accepts the offer, he or she will have to give exclusive rights of the vulnerability information to 3Com, which will notify the affected vendor. 3Com will update its TippingPoint intrusion-protection systems to protect against the vulnerability and share details of the flaw to other security vendors one day before public disclosure. 3Com also plans to work with vendors on public disclosure, which will give credit to the researcher. 3Com will not work with anonymous researchers, Endler said: “We don’t want to be dealing with any black hats or illegal groups.”
The program offers researchers a way to gain recognition – if they choose – but not manage a relationship with the affected vendor, Endler said. Researchers who submit multiple vulnerabilities will receive additional rewards.
“We’re holding vendors responsible too. We want to make sure there’s a reasonable effort on their part to fix them [vulnerabilities],” Endler added.
Zeus Kerravala, analyst at Yankee Group, said 3com’s program is interesting and could help the networking company differentiate itself.
“It could help the industry and give recognition to 3Com that they’re a strong security player,” he said.
A Microsoft spokesperson said the industry has sought ways to improve the way information about security vulnerabilities is gathered and shared in order “to protect customers while not aiding attackers.”
Consequently, the software giant “applauds any responsible effort that helps protect computer users worldwide,” the spokesperson said.