By Joris Evers
Staff Writer, CNET News.com
July 24, 2005
Found a security bug? TippingPoint will pay you for the details.
TippingPoint--part of 3Com--is soliciting hackers to report
vulnerabilities in exchange for money. If a valid bug is found,
TippingPoint will notify the maker of the flawed product and update
its security products to protect users against exploitation of the
flaw before an official patch has been released.
"We want to reward and encourage independent security research,
promote and ensure responsible disclosure of vulnerabilities and
provide 3Com customers with the world's best security protection,"
David Endler, director of security research at TippingPoint, said in
Austin, Texas-based TippingPoint sells intrusion prevention systems,
which are designed to protect against vulnerabilities, on servers,
desktops and other computers connected to an organization's network.
The payments are being offered under TippingPoint's new "Zero Day
Initiative." The company plans to announce the program on Monday and
celebrate the launch with a party in Las Vegas on Wednesday, the first
day of the annual Black Hat Briefings, an event for security
professionals and enthusiasts.
Few companies offer rewards for pinpointing software vulnerabilities.
The rewards are almost always paid by security companies for flaws in
other companies' software products. The payouts are used to gain a
competitive edge over rivals by having their products recognize more
Security intelligence firm iDefense, which was recently acquired by
VeriSign, and the Mozilla Foundation also pay security researchers, or
hackers. Mozilla offers $500 and a Mozilla T-shirt to those who find
critical security flaws in its products, which include the Firefox Web
Money has increasingly become an incentive for hackers. Program's such
as TippingPoint's offer a legitimate way for them to get paid for
their bug hunting. There is also an underground market for
vulnerabilities. Cybercriminals pay top dollar for previously
undisclosed flaws that they can then exploit to break into computer
systems, experts have said.
Bugs can be reported to TippingPoint through the Zero Day Initiative
Web site. TippingPoint investigates all reports and will deal only
with reputable researchers, Endler said. "We need to know exactly who
we are working with," he said. "We don't want to work with black hats
or illegal groups." Black hat is a term used to distinguish criminal
If a flaw is found to be genuine, TippingPoint will make an offer. The
amount depends on the scope of the vulnerability. A problem that lets
an attacker remotely access a computer will fetch more than a bug that
could only crash a system, for example. If the researcher takes the
offer, the rights to the bug report are signed over to TippingPoint,
An unspecified time after protecting its own customers and before a
fix is released, TippingPoint plans to share vulnerability details
with other makers of intrusion prevention products. "We're making an
altruistic gesture to protect a larger segment rather than just our
customer base," Endler said.
Those who report flaws to TippingPoint will get credit for their
discovery and can keep track of the status of the bug report through
the Zero Day Initiative Web site, Endler said. A special reward
program makes it lucrative to contribute multiple vulnerabilities, he
Attend the Black Hat Briefings and
Training, Las Vegas July 23-28 -
2,000+ international security experts,
10 tracks, no vendor pitches.