FOR – Kip McClanahan, TippingPoint
3Com’s new Zero Day Initiative is a program designed to protect against zero day flaws. It rewards researchers who submit vulnerability information to the affected vendor to develop a patch.
We support security research to promote responsible disclosure and reduce security risks for affected users. In the absence of an incentive, researchers might publicly post this potentially harmful information.
Discovering vulnerability information is not uncommon. Researchers might even stumble across a flaw. Not all researchers are malicious. Most are security professionals who desire stronger security for the greater good.
We will not work with known black hats.
Security researchers should be rewarded for responsible handling. When zero-day vulnerabilities occur, the industry scrambles to find a solution and, in some cases, there are none.
We believe this is a viable solution to reduce zero-day vulnerabilities, which ultimately enhances security. It also gives researchers the recognition they desire without the negative repercussions of publicly posted vulnerabilities.
AGAINST – Ed Adams, CEO, Security Innovation
Paying researchers to find security vulnerabilities is not a positive step. It allows extortion, exploitation (of both people and software) and hacking.
First and foremost, calling those people who find and report security vulnerabilities for cash “researchers” is insulting to those of us who do this professionally and treat it with respect and responsible disclosure.
Unfortunately, there is already an all-too-common process where some researchers engage in threats like: “Pay me $X or I’ll sell this to iDefense,” or “Mr. Vendor, fix this vulnerability in three weeks because I am giving a paper on it at DefCon.”
Vendors that pay the public to find security holes tack a “hack me” sign on their backs.
Consider this: a less-than-ethical “researcher” finds a huge vulnerability in an online banking system and is now faced with reporting it for a few bucks or keeping the valuables they pry away from the system… tough choice.
And if he gets caught, he has the great excuse of: “They pay me to do it!”
That might even stand up in court.