Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

3Com to Buy Security Flaws?

Hemos posted about 9 years ago | from the trying-new-models dept.

Security 105

Zonoprh writes "CNET reports that 3Com's TippingPoint division is starting a pay-for-vulnerability program called the Zero Day Initiative. It seems 3Com plans to use the vulnerabilities they purchase to fuel signatures in their protection technologies, in addition to sharing the same data with other security vendors. From the article, "Money has increasingly become an incentive for hackers. Program's such as TippingPoint's offer a legitimate way for them to get paid for their bug hunting. There is also an underground market for vulnerabilities. Cybercriminals pay top dollar for previously undisclosed flaws that they can then exploit to break into computer systems, experts have said.""

cancel ×


Sorry! There are no comments related to the filter you selected.

HOWTO: A Muslims guide to Backpacking in London (-1, Flamebait)

The_Fire_Horse (552422) | about 9 years ago | (#13155914)

We've all seen the shocking bombings in London recently caused by extremist muslims who, quite frankly have nothing better to do with thier time.

But what about the 'normal' muslims, I hear you cry - how can they go about our lives in this post 7-7 world?

Hi, I'm The_Fire_Horse [] and you might remember me from such posts as
Cheese - what does it mean to the average Muslim, and
Islam - what *is* the point? I mean... really!

Today, we are going to discuss how the average bright eyed, yet naive mulsim can go about their lives following the devastating and shocking bomb attacks on London.

Step 1 - Dont be ashamed
You are a muslim - you have chosen your religeon freely because you parents told you to and despite nagging doubts in the back of your head that it is all a bit 'silly', you will continue to follow whatever interpretation of the koran anyone happens to talk about. Dont feel dumb - it isnt your fault - remember, that you have millions of others thinking just the same way, so you must be right!

Step 2 - Pack up your camping gear
You are going out to the country, so you will need lots of supplies! Get yourself a nice big backpack and fill it will pots, pans, food, clothes and spare copies of the koran because you will be out in the wilderness for several days.

Step 3 - Heading for the train
The train trip will take a while, so you will want to listen to some 'koran on tape' cassettes - put your walkman in your rucksack and feed the headphone wires out the top so you have access to the music.
With your headphones hanging out of your rucksack and your teatowel wrapped around your head, you can now proudly walk out the door of your hovel to the nearest train station to head off to your camping trip.

Step 4 - Dealing with the Police
If the police take an interest in you, simply screech "ALLAH BE PRAISED" and reach for your headphones so that you can let them hear the magical insight of the 'koran on tape'.
Should the police then reach for their guns, you will need to quickly remove your student id from your inside jacket pocket and show it to them. Dont worry - everything will sort itself out (Allah will know what to do)

Re:HOWTO: A Muslims guide to Backpacking in London (-1, Offtopic)

dascandy (869781) | about 9 years ago | (#13155957)

Dude, could you grow up?

Re:HOWTO: A Muslims guide to Backpacking in London (-1, Troll)

Anonymous Coward | about 9 years ago | (#13156010)

Muslims are just annoying.

If they aren't busy plotting your death they are busy whining about how peaceful they are...

Sort of like Americans.

Hopefully those fucktards will kill each other so civilization can move forward.

Hey, Muslims are not all bad!! (0, Offtopic)

Bazunok (868402) | about 9 years ago | (#13156135)

Some of us spend weeks praying in an attempt to get closer to ALMIGHTY ALLAH.

You really shouldn't make fun of us, just because we believe in the Koran, instead of the Bible. Surely we are just as valid as Christians?

Re:Hey, Muslims are not all bad!! (1)

Bloke down the pub (861787) | about 9 years ago | (#13157722)

We make fun of those too, and it's a darn sight safer - mainly because they gave up sawing people's heads off and putting videos of it on the internet long before there even was an internet.

And the real suicide bombers should dress up as... (0)

Anonymous Coward | about 9 years ago | (#13156729)

... orthodox jews. Now that would create some fun!

Sadly, soon to come. (-1, Redundant)

BlackCobra43 (596714) | about 9 years ago | (#13155915)

...are vulnerability blackmail and extortion ..or are they already here?

Re:Sadly, soon to come. (-1, Flamebait)

Patrik_AKA_RedX (624423) | about 9 years ago | (#13156089)

Would be pointless. A certain OS company is already squising all the money from 90% of the vulnerable systems.

Re:Sadly, soon to come. (0)

Anonymous Coward | about 9 years ago | (#13156113)

Honestly they've been here for a while. As an example, you have the Immunitysec 0-day club which vendors can pay into for a license to access publicly undisclosed vulnerabilities. Following along logically you can't help but see that this could be viewed as extortion. Assuming the vulns are decent and the license can be enforced, you put IDS and AV vendors in a situation where they basically have to pay in order to remain competitive. There's also the less advertised channels, like HBGary's standing offer to pay for exploits. Of course, there are various others, so it's already a pretty big game.

In the end though, it's funny that it's all really just the bastard child of QA. I mean, vulnerability research requires a lot of effort. but solving the security problems is a task that's better addressed at the design and implementation phases. So it becomes apparent very quickly that vulnerability researchers are far more concerned with cracking software than developing secure software. I guess some kids never grow out of it.

"Will deal only with reputable researchers" (5, Insightful)

xmas2003 (739875) | about 9 years ago | (#13155934)

From the article: Bugs can be reported to TippingPoint through the Zero Day Initiative Web site. TippingPoint investigates all reports and will deal only with reputable researchers, Endler said. "We need to know exactly who we are working with," he said. "We don't want to work with black hats or illegal groups." The term "black hat" is used to describe criminal hackers.

So I gotta wonder how they are gonna determine who is reputable and who is not ...

Re:"Will deal only with reputable researchers" (3, Insightful)

}InFuZeD{ (52430) | about 9 years ago | (#13155982)

Well... I imagine if they offer X ammount of dollars per flaw in a certain system and the person asks for more money, then they aren't reputable. If a "researcher" was previously getting no money for the bugs they found, they'd probablytake the little money they can get (I'm guessing TippingPoint won't be giving out a whole lot). If they're actually selling the thing to the highest bidder, I'm guessing TP isn't going to join in the bidding.

Re:"Will deal only with reputable researchers" (1)

CodeBuster (516420) | about 9 years ago | (#13160468)

If they're actually selling the thing to the highest bidder, I'm guessing TP isn't going to join in the bidding.

Why wouldn't they sell to the highest bidder then turn around and sell it to tipping point as well? There is after all no honor among most thieves. The only reason that they might not do this is to protect their right to future deals with the underworld, but if they can find a way to sell the information anonymously in both cases then it would be like selling arms to both sides in a conflict, very lucrative as long as both sides do not know who they are really buying from.

Re:"Will deal only with reputable researchers" (4, Insightful)

cnettel (836611) | about 9 years ago | (#13155987)

Well, for a start, it could indicate that they won't be making any anonymous payments, or payments through proxies.

Give us your identity, and your bug, we give you the money. Sounds fair.

Incentive for giving identity? (0)

Anonymous Coward | about 9 years ago | (#13156453)

Isn't the law in USA trying to lean towards "if you figure out these exploits then you ARE a criminal" ? If so, wouldn't you want to remain anonymous?

Open Source = disreputable researchers (1)

infonography (566403) | about 9 years ago | (#13156032)

that's the Microsoft/SCO theory anyway. (and yes I am kidding)

It's the 1849 gold rush all over again. (0)

Anonymous Coward | about 9 years ago | (#13155938)

There's money to be made, but not in the gold fields of California, but in the datafields of Microsoft. "There's bugs in them thar discs!!!".

Good idea (5, Interesting)

dmurray14 (899569) | about 9 years ago | (#13155939)

Much better way to deal with bugs, I'm surprised no one thought about this before. I guess the real test will be to see how they deal with the bugs they "buy"

SunOS - Solaris (2, Interesting)

bsd4me (759597) | about 9 years ago | (#13156185)

IIRC, Sun did this with the early versions of Solaris. The transtion from SunOS to Solaris was really painful, especially wrt. SunOS binary compatibility. Now that I think about it, it could have just been a bounty on compatibility problems.

yes, it worked for me... (3, Insightful)

scotty777 (681923) | about 9 years ago | (#13156205)

20 years ago I wrote a security system, and offered the staff a free lunch if they could find any "undocumented behavior". It's a quick and cheap way to build confidence. I had a couple of takers, but both quit their spiel while they were laying out their case... Seem they didn't RTFM! ; )

Re:Good idea (2, Interesting)

idokus (902277) | about 9 years ago | (#13156937)

I thought mozilla already has done this, it was a while ago, (think around 2001 or 2002, but that's just a hunch).
If I remember correctly they offered $500 for each security flaw in the mozilla browser or something.

Re:Good idea (0)

Anonymous Coward | about 9 years ago | (#13160821)

They didn't.

If they had offered $500 for security flaws, they would be bankrupt at this point.

Re:Good idea (2, Interesting)

arivanov (12034) | about 9 years ago | (#13157564)

3Com has a long history of it.

Speaking out of experience. The company I used to work for reported to them a serious security flaw on their switches in 1998 and as a result I ended up filling the boot of a midsize station wagon with kit. The 3Com country rep opened the storage room with the demo gear and told the beancounters who had some objections to shut up. Some of it was new, some of it bargain bin age and quality. Considering that the cost was 0 we did not really care. Most of it got used. They also gave us some better then "normal" discounts from there on purchases.

Re:Good idea -translation (1)

saskboy (600063) | about 9 years ago | (#13160312)

Many North Americans might not realize that a "boot" is a car trunk, and "kit" I take as meaning equipment from the 3com storage room.

Re:Good idea (1)

AuMatar (183847) | about 9 years ago | (#13157798)

Knuth will pay you if you find a bug in either his books or Tex. Its a pittiance, but a nice geek showpiece if you get one, I'd suggest framing it. And no, I am not cool enough to have earned one. :(

Re:Good idea (1)

poopdeville (841677) | about 9 years ago | (#13159412)

It's $2.56 (a hexadecimal dollar) if you find a new bug in TAOCP. I don't think he's paying for bug hunting in TeX anymore, since he's not really involved with TeX anymore. He has a nice signature. Not that I have one either.

Wow (4, Funny)

truckaxle (883149) | about 9 years ago | (#13155944)

I knew 3COM was big, but big enough to buy Microsoft? Wow!

Re:Wow (0)

Anonymous Coward | about 9 years ago | (#13156493)

Hmm, I was kind of thinking the opposite: this is a great way for Microsoft to milk 3Com. I mean, who knows how to create security problems better then Microsoft? And now they can get paid for it!

I knew it would happen one day.... (0, Troll)

coolnicks (865625) | about 9 years ago | (#13155968)

My very own get-rich-quick scheme. Im Rich! Yay!

Simple solution (4, Insightful)

Sierpinski (266120) | about 9 years ago | (#13155970)

If someone is able to break into your system offer to pay them to keep it secure from others like themselves.

What was the famous counterfeiters name that the FBI hired to spot fakes? He was the basis for the movie 'Catch me if you Can'.

Allow them to use their powers for good, because if you don't, they will continue to use their powers, in whichever direction (good or bad) that they can. The big companies might as well use them as a tool (and pay them) to create/maintain better secured software.

Re:Simple solution (2, Insightful)

myspys (204685) | about 9 years ago | (#13156023)

Frank Abagnale Jr [] is the man you're looking for!

Re:Simple solution (-1)

Anonymous Coward | about 9 years ago | (#13156042)

Frank Abignail

Re:Simple solution (4, Interesting)

kfg (145172) | about 9 years ago | (#13156605)

Frank Abagnale was the Kevin Mitnick of his time, and although he was a master counterfeiter his chief skill was in "social engineering."

Brazen, fearless and with a personality to charm the socks right off of you, if he had stuck to cons he might well never have been caught (bad paper leaves a paper trail). Having once caught him keeping him caught proved to be a bit of a problem and on one occasion he simply talked his way out of prison

It isn't listed in his IMDB entry (which he has by virtue of being the author of Catch Me if You Can), but he once made an appearance on The Tonight Show with Johnny Carson and so impressed me that it is one of the few Tonight Show interviews that has always stuck with me.

I haven't read the book, so it may well be the blurb that is at fault, but certain discrepencies between the book blurb at Amazon and things he said in that interview suggest to me that he's never really given up the con game and we'll never know what is the truth and what is the self generated myth about him.

He should have gone into politics.


Re:Simple solution (1)

j2asghar (879135) | about 9 years ago | (#13159660)

Actually, it was a former-"girlfriend" stewardess that found out about him living somewhere in southern France that tipped off the police.

Re:Simple solution (1)

kfg (145172) | about 9 years ago | (#13160867)

Ah, yes. A trail of former "girlfriends" was his other mistake.


Re:Simple solution (2, Insightful)

paranode (671698) | about 9 years ago | (#13157250)

Legitimized extortion? I think the companies that would hire a criminal to secure their network and put full faith in him not to abuse the data he has access to are few, far between, and frankly a little nutty. It's just a publicity stunt when a company does this. There are a lot of very qualified white hat experts with a long resume of experience and referrals that are a lot more trustworthy and probably more knowledgeable than the kid from Finland who used his l33t skillz to run his script from IRC against your server.

Re:Simple solution (2, Insightful)

Sierpinski (266120) | about 9 years ago | (#13157512)

You must not get out much. This type of thing happens, and in my opinion makes perfect sense. Who better to secure your network than the person who got in? Calling these guys criminals (now I'm talking about the ones who actually do nothing malicious OTHER than enter a system that they do not own) is a social thing, not necessarily an ethical one. (I wont get into the debate about whether or not someone can walk into your house because the door is open, blah blah blah) but not only would these companies allow them to do what they obviously enjoy, but they would get a nice paycheck to keep them honest.

Your white hat professionals may have taken a class, been taught by a friend, employers, etc, but most of those people will never match up to the teenager to took it upon himself to learn the details of how to enter a system. Thats the difference between having just a 'job', and having a great passion for what you do.

Re:Simple solution (1)

paranode (671698) | about 9 years ago | (#13158225)

Sounds like you just have an overblown sense of glorious admiration for teenage miscreants.

If I knew a company I did business with was using some kid who breaks into other people's systems for fun to safeguard my personal data, I would quit doing business with said company. It's one thing to hire them as a contracted penetration tester, it's an entirely different thing to hire them full time to guard your sensitive data. Maybe you were referring to the former, in which case I can agree with you.

Clearing house for bugs Nice idea however (5, Insightful)

infonography (566403) | about 9 years ago | (#13155994)

They don't share the info on the exploits. With CERT the bug is known even if crucial details are not. With 3Com, it's a murky secret. According to their own data they will sit on them until they have notified every security company first. Only then will they tell the public putting everybody at risk. Worst yet from a business standpoint they can pay of a exploit only to have somebody else notify the world the next day. That's money lost. Unless they want to go an copyright the exploit they are assed out.

Re:Clearing house for bugs Nice idea however (0)

Anonymous Coward | about 9 years ago | (#13156278)

2 things:

1) there is already a market for UNdisclosed security bugs. Trying to strucutre this market is a good thing for everyone. I prefer that 3Com (or other respectable companies) to buy the information about a security bug rather than a bad guy ()who will use this info not to make security patches but to attak or steal).

2) Security professional will be informed immediatley of the security flaw. What that means is that 3Com is putting money on the table and releasing this info to security vendors fro free. Thus security professionals are informed (so they can update their products like firewall, anti-spyware, etc..) and not the script kiddies ... I don't have a problem with this.

Thing about it, before this initiative, the UNdisclosed security flaws remained UNdisclosed! Now there is a chance that more hidden flaws will surface.

Worse yet (3, Interesting)

infonography (566403) | about 9 years ago | (#13156302)

The issue is that if you get paid for finding a flaw, you could get sued for it and there is a nice money trail back to you. 3Com makes no pretense at anonymity or grants any immunity from liablity. While I admit that's not likely, they would sue 3Com first and name you as a co-defendant, your still in it with them. This has happened in the past, I see no reason it's not gonna happen again.

Re:Worse yet (1)

k98sven (324383) | about 9 years ago | (#13160252)

When has this happened in the past?

Re:Clearing house for bugs Nice idea however (1)

mendaliv (898932) | about 9 years ago | (#13156479)

they can pay of a exploit only to have somebody else notify the world the next day. That's money lost.

With any bug submitted we *could* see an announcement a day later (or whenever the check clears), but remember that 3Com says they're only gonna accept submissions from reputable sources. I bet that leaking information would kind of mark you as disreputable.

In any case, let's say we have a 24 hour time lag from when some guy submits it and he publicly announces it. It's still gonna take more time for worm writers to hear about it, more time for them to fully comprehend how it works, more time for them to write the worm implementing the exploit, possibly time to test it, time to seed various locations in the world with sample infections, and finally time for it to propogate.

I work as a technician at a public university's dorms fixing personal computers. It's nice to have time to prepare for a storm of infections, but if anti-virus definitions come out in time, then it really saves me a headache.

swings and misses (0)

Anonymous Coward | about 9 years ago | (#13156811)

"pay of a exploit only to have somebody else"

"I bet that leaking information would kind of mark you as disreputable" mendaliv (898932)

So you just don't have a good grasp of english.

I would advise that from now on you just posted Anonymously.


What country are you from? WHAT is no country I ever heard of do they speak English is WHAT? ENGLISH, Mudda&**&* do you speak it?

I gave them money (-1, Offtopic)

Xargle (165143) | about 9 years ago | (#13156008)

buying one of their shitty OfficeConnect WLAN/ADSL routers. It has several annoying features including regular hangs and connection drops on both the WLAN and WAN side. Do they fix their broken software despite knowing of the problems? No. They despatch sage advice such as "turn the firewall off and it might stop crashing".

I would never trust them for any sort of corp. networking gear having seen the total balls-up they can make at the consumer end.

Re:I gave them money (1)

jurt1235 (834677) | about 9 years ago | (#13156061)

They are talking about security. They will claim taht your router is 100% secure at the moments it hangs, so nothing to see here, please keep moving (-:

So to summarize (3, Insightful)

Rosco P. Coltrane (209368) | about 9 years ago | (#13156009)

3Com gets paid to alert its customers of vulnerabilities in near-real-time. Which means, more vulnerabilities fixed == less $$$ for them over time.

Hmmm, great business model...

Re:So to summarize (0)

Anonymous Coward | about 9 years ago | (#13156101)

not really..

more vulnerablilities fixed = more vulns. to alert about. getting them fixed is sort of inconsequencial to the business model.

Re:So to summarize (2, Insightful)

I8TheWorm (645702) | about 9 years ago | (#13156403)

Not really... now they're paying people to help them earn that money. Someone submits a vuln to 3Com, get's paid a few hundred or thousand dollars, and 3Com gets the many thousands they're already charging their customers. Then they work on a fix, and get some glory on the back end.

Seems a pretty sound business model to me.

Re:So to summarize (1)

Rosco P. Coltrane (209368) | about 9 years ago | (#13156477)

What I meant was, if their business model really works, they'll report vulns to their original "owners", the vulns will get fixed, and there will be less and less vulns to be rooted out, until eventually the money well is close to dry.

Re:So to summarize (1)

I8TheWorm (645702) | about 9 years ago | (#13156600)

Sure, but in the time between that vuln being reported to 3Com and it being fixed by the company who owns the software, people still want to know about it. I think that window is where 3Com is looking for profit.

Re:So to summarize (1)

hal9000(jr) (316943) | about 9 years ago | (#13156613)

What I meant was, if their business model really works, they'll report vulns to their original "owners", the vulns will get fixed, and there will be less and less vulns to be rooted out, until eventually the money well is close to dry.
Nah. There will still be plenty of vulns in software until developer organizations start to make secure coding a priority. Even then, there will still be security problems made by well meaning people.
In addition, there will always be unpatched systems for whatever reason.
I don't think IPS is a really good defensive strategy, but it is a viable business.

Re:So to summarize (1)

GT_Alias (551463) | about 9 years ago | (#13157261)

Doubtful there will be any shortage of vulnerabilities for a while.

OMG (-1, Troll)

Anonymous Coward | about 9 years ago | (#13156018)

OMG 0day!! th4tz so 31337!

3com r the pwnag3.

Money has increasingly become an incentive (-1)

Anonymous Coward | about 9 years ago | (#13156026)

Most hackers I know are hunter gatherers. When the supply of old pizza crusts is exhausted, they migrate to a new range.

Great. (-1, Redundant)

torpor (458) | about 9 years ago | (#13156027)

Yet another way for Microsoft to generate revenue.

Did I read that right? (1, Insightful)

$RANDOMLUSER (804576) | about 9 years ago | (#13156034)

Did it really say that a vulnerability detection company was going to pay people to create/discover vulnerabilities so they could be detected???

This reminds me of mob "insurance".
"You know, if you don't pay us to protect you, something bad could happen to you."

Anyone else see a moral issue here?

Re:Did I read that right? (2, Insightful)

Rosco P. Coltrane (209368) | about 9 years ago | (#13156087)

Your post makes no sense: what does "pay people to create/discover vulnerabilities so they can be detected" mean? Have you RTFA?

Secondly, there is no mob insurance: 3com won't crash non-subscribers' computers after making threats, they'll tip people who discover already existing vulnerabilities, and get money from other people to tell them early about them. Take your tinfoil hat off already, gee...

Re:Did I read that right? (0)

$RANDOMLUSER (804576) | about 9 years ago | (#13156146)

And you don't think that these vulnerabilities, once discovered, thanks to the incentive program, will make it into the wild?
And you think that 3Com will share the details (early) with their competitors so that their customers can be protected too?
No, I think we're on the way to having "exclusive" vulnerability protections.

Re:Did I read that right? (1)

Rosco P. Coltrane (209368) | about 9 years ago | (#13156204)

And you don't think that these vulnerabilities, once discovered, thanks to the incentive program, will make it into the wild?

And who would leak them? 3Com? if they did, they'd quickly get sued, or their program would go bust.

And you think that 3Com will share the details (early) with their competitors so that their customers can be protected too?

Again, if they discriminate against their competitors, it'll be noticed very quickly and the program will lose credibility.

No, I think we're on the way to having "exclusive" vulnerability protections.

I think you really do need to stop using tinfoil. Also, I still don't understand where your "mob protection" remark fits in.

Re:Did I read that right? (1, Insightful)

Roland Piquepaille (780675) | about 9 years ago | (#13156124)

Only on Slashdot can tripe like this be modded up +4 Insightful. It's not insightful, it's completely inaccurate, and borderline karma-whore.

Re:Did I read that right? (0, Offtopic)

$RANDOMLUSER (804576) | about 9 years ago | (#13156178)


Roland Piquepaille called me a karma-whore!
Eat your hearts out!!!

Re:Did I read that right? (1)

Roland Piquepaille (780675) | about 9 years ago | (#13156237)


Another proof that you're posting without knowing what the hell you're talking about: I AM NOT THE REAL ROLAND PIQUEPAILLE. The real one is here [] .

Did *I* read that right? (1)

AEton (654737) | about 9 years ago | (#13156131)

Did it really say "0-day Initiative"?

That's like AOL founding the "^_^Rofloffle Institute for Instant Message Research".

Re:Did I read that right? (1)

ninja_assault_kitten (883141) | about 9 years ago | (#13156158)

No idea what you're talking about. This is no different than any other security research company (eEye, ISS, etc) with one exception, they accept findings from outside sources.

Re:Did I read that right? (0)

Anonymous Coward | about 9 years ago | (#13156765)

You know, if you don't pay us to protect you, something bad could happen to you."

Emphasis mine, please elaborate on how this compares to what 3Com is doing.

More likely scenario... (1, Interesting)

Anonymous Coward | about 9 years ago | (#13157796)

Hypothetical situation here:

1) Some hackerpunk writes the new and improved FloobleSchnork worm, which attacks, crashes and spreads thru Cisco switches and routers running IOS.

2) 3Com buys the intellectual property of this worm from the hackerpunk and develops a solution to defend against it.

3) 3Com, of course, patents the holy crap out of their solution in such a matter so that nobody else can implement any form of solution whatsoever to defend against the worm. The USPTO, in their brilliant wisdom, grants the patent in the time it takes for your average bureaucrat to rubber-stamp a sheet of paper without reading it.

4) ??? *

5) Profit!!!

* Where the mystery "???" step is either (A) Cisco tries to write a fix into their IOS and 3Com sues them for patent infringement or (B) Cisco just caves in and licenses the patented technology from 3Com. Either way, step #5 still produces 3Com's desired end-result.

So they buy the vulnaribilities (2, Interesting)

jurt1235 (834677) | about 9 years ago | (#13156038)

And have a great bonus program which will pay you a nice bonus, but what they fail to mention is how much a vulnarability is worth. They have all what it needs here just to screw you with:
1. 3-com makes an offer and the researcher (nice name for a change) accepts it, and keeps his mouth closed.
2. Another researcher (who wishes to stay anonymous) already submitted this bug
It would be nice if they said like how much the bases is what they are willing to pay, and that you can look in the bug database (probably just on some kind of specific property so you can recognize the bug).

However I do like the ZDI platinum bonus: Blackhat training in Las Vegas (with the $20.000 bonus, should be a good few days (-: )

DIY funding (5, Insightful)

James McGuigan (852772) | about 9 years ago | (#13156081)

How long till someone finds a security flaw in 3com's online payment system and assigns themselves a financial reward for discovering the security flaw.

Re:DIY funding (-1, Flamebait)

Anonymous Coward | about 9 years ago | (#13156106)

you're a fucking idiot

Obligatory comment (3, Funny)

jurt1235 (834677) | about 9 years ago | (#13156093)

If Microsoft would do this, they would go broke (-:

Re:Obligatory comment (2, Funny)

James McGuigan (852772) | about 9 years ago | (#13156142)

1. Deleberatly create security flaw in Windows
2. Notify 3com of security flaw
3. Wait 5 working days
4. Profit

Re:Obligatory comment (0)

MarkByers (770551) | about 9 years ago | (#13156230)

An interesting conspiracy theory, here is another one:

1) Deliberately create security flaw in Windows.
2) Break into government and competitors systems.
3) ???
4) Profit!

But more likely the security errors they make are purely accidental. Microsoft do use some rotten business tactics occasionally, but I'm sure they wouldn't go as far as to deliberately make it easy to compromise Windows. If they were breaking the law in this way and got caught, it would do their reputation a lot of damage.

Writing secure software is hard, and Microsoft make mistakes, like everyone else.

Re:Obligatory comment (1)

ciroknight (601098) | about 9 years ago | (#13158540)

Nah, they'd simply give you a free copy of Windows as your commission, hell, they can buy off the EU with it, it's good enough for you!

If you really want a bug to be fixed... (0) (830361) | about 9 years ago | (#13156098)

If you really want a bug to be fixed...

Post the details of the vaunrability on Slashdot. That's the one way to get the company responsible for the flawed code to fix it, fast.

Wonderful ! (0)

Anonymous Coward | about 9 years ago | (#13156104)

I think this is a great initiative!

Now you can make money AND have a positive impact on online security and thus society.

Once I've report a (serious) bug and I was mostly treated as a criminal. With this program I'll earn some money and I don't have to deal with irresponsible companies that prefer to ignore bugs.

Well done 3Com!

and the owner? (1)

camcorder (759720) | about 9 years ago | (#13156130)

So will they credit the bug hunters or they will treat them as their workers. Sharing information is good move but isn't that a marketting strategy that will make people think like 'Look 3com is the first to find vulnerabilities from all that reports'.

Re:and the owner? (1)

jurt1235 (834677) | about 9 years ago | (#13156206)

Well, it is for accreditted researchers only. The point is, if I am a researcher, I will most likely find this bug during working hours, so the bonus will go to my employer, or he will wonder what I have been doing, or why 3com pays me. With a bit of luck I will be able to go to the Vegas Blackhat training, but most likely my boss will go.

They need to expand the program already to involve the white hat community (at least).

Are they building up Intellectual Property (4, Interesting)

uid000 (895926) | about 9 years ago | (#13156244)

If they "buy" a software vulnerability, and build a signature for it, will somebody else who builds a signature (e.g., snort) for it be violating some IP right like copyright or patent?

Re:Are they building up Intellectual Property (1)

ninja_assault_kitten (883141) | about 9 years ago | (#13156420)

No, the exploit itself is owned by TippingPoint but the signature to detect it is open. BTW, IDS is a horse with a broken leg.

Re:Are they building up Intellectual Property (3, Informative)

Anonymous Coward | about 9 years ago | (#13156446)

The answer is no.

From their FAQ ( [] ):

Why are you giving advance notice of the vulnerability information you've bought to other security vendors, including competitors?

We are sharing with other security vendors in an effort to do the most good with the information we have acquired. We feel we can still maintain a competitive advantage with respect to our customers while facilitating the protection of a customer base larger than our own.

Re:Are they building up Intellectual Property (1)

GT_Alias (551463) | about 9 years ago | (#13157316)

>in an effort to do the most good with the information we have acquired Not to be cynical, but I believe that will only apply so far as they are profiting from this program. If this starts to turn into a money loser, any policy that might be costing them a competitive advantage while only gaining them an improved community image will probably be the first to go.

Not the first one (0)

Anonymous Coward | about 9 years ago | (#13156265)

3COM is not the first security company to buy 0days, I am aware of several others including iDefense (recently acquired by Verisign) who were doing this and resell their advisory services.

I dont see a bif problem in this if they share it with cert, even if they give priority notification to their large accounts.

Since they are competing with money... (1)

pickyouupatnine (901260) | about 9 years ago | (#13156266)

Will they be able to match what the underground organizations' that they are trying to compete w/ - buck for buck - for the love of a black-hat?

Once you've stolen a couple of thousand credit card numbers, you can quite easily buy vulnerabilities - because no one's really accountable to the money you spend.

Companys such 3Com on the other hand have limited budgets, albeit big budgets but limited none the less. How will 3Com explain it to their customers and shareholders when a hacker sells a vulnerability first to an underground org, and then to 3Com?

I suppose its better than appealing to a hacker's consience. Maybe a solid job offer for discovering 10+ vulnerabilities first might work? ..

Re:Since they are competing with money... (2, Insightful)

Kiryat Malachi (177258) | about 9 years ago | (#13157432)

Because it is *legal* money, requiring no fencing, no laundering, and above all providing no legal risk to the individual finding the vulnerability.

And if you discover a pattern in one of your suppliers wherein a vulnerability they sell you always shows up with the blackhat organizations at the same time... well, that's why you required traceable identity information before you paid them.

The law, in this case, acts as the stick. Money, as always, is the carrot.

Program's ?? (-1, Offtopic)

Anonymous Coward | about 9 years ago | (#13156286)

I am willing to give money to people so they can go back to grade school and learn that YOU DON'T USE AN APOSTROPHE TO MAKE A PLURAL.

Not the first (0)

Anonymous Coward | about 9 years ago | (#13156300)

As others have pointed out in more esteemed fora, this is not the first attempt to establish some sort of double-blind auction for 0day exploits - iDefense [] have been trying it for a long time. To paraphrase Halvar (I think it was?) "we don't trust them, either." (Which is a shame really as they've released some good software to the community - iDefense that is - but the lame "sell us your 0day" programme lost them probably more cred than the software earned them.

Missing step found! (3, Funny)

SkjeggApe (649721) | about 9 years ago | (#13156320)

Step 1: Create popular, mission critical software that every business will want to install
Step 2: Insert sneaky vulnerabilities
Step 3: Sell bugs to 3COM
Step 4: PROFIT!!!!

Re:Missing step found! (0)

Anonymous Coward | about 9 years ago | (#13157574)

Step 5: Goto Step 2

Create bad software and earn big money!! (0)

Anonymous Coward | about 9 years ago | (#13157056)

This just seems like rewarding people for deliberately creating bad software and then turning around and selling the vulnerabilities to 3Com for money.

In theory it's a great idea, but once the "human factor" comes in...

"Homer: Marge, I agree with you -- in theory. In theory, communism works. In theory." (The Simpsons)

Money where their mouth is (2, Interesting)

B11 (894359) | about 9 years ago | (#13157079)

A lot of hackers will have to put their money where mouth is. A hear a lot of even "black hats" say they do it for sport, for money, etc., but not maliciously. This provides them an outlet to safely do so, let's see if they bite.

This is a double-edged sword (2, Insightful)

confusion (14388) | about 9 years ago | (#13157129)

On one hand, this bounty will motivate "hackers" to disclose vuln's to 3com, who then will work with the vendor to fix the problem - and make themselves look good in the process - which means there is a legitimate way for some of these people to make real money off of their discoveries instead of turning them into worms or viruses.
And on the other hand, there is a lot of potential for abuse. We could see vulnerability stuffing in open source to get a kick-back (I know it's hard to believe it could happen, but remember - there is money involved), we could see 3com dissing people on the bounty checks which could motivate the hacker to turn the vuln into a worm more quickly to get back at 3com and then there is just the fundamental philosophy that 3com is rewarding someone for doing something bad.

We're going to have to wait to see how this plays out over time. It doesn't seem like a good idea to me, but then 3com has to be able to compete with the big boys now that they own Tipping Point.

Jerry []

Just had an idea... (2, Funny)

OhHellWithIt (756826) | about 9 years ago | (#13157339)

Maybe I could patent a vulnerability, then sell the patent to SCO.

LOL, yeah right. (0)

Anonymous Coward | about 9 years ago | (#13157382)

LOL, this sounds like the guy on the corner who telss you give me $20 and I'll be right back with your smoke, just gotta get it from my buddy.

Give us what we want and MIGHT give you what WE THINK is fair.

Danegeld? (2, Interesting)

chiph (523845) | about 9 years ago | (#13157447)

Isn't this similar to the Danegeld [] that the English used to pay to the Vikings, to keep them from pillaging their towns & burning their crops?
(worked for a time, anyway).

Chip H.

No `advanced notice' for open source code? (3, Insightful)

shadowspar (59136) | about 9 years ago | (#13157498)

I don't like the sound of this:

What types of security vendors are eligible for the advanced notice?

In order to qualify for advanced notice, the security vendors must be in a position to remediate or provide protection of vulnerabilities with their solution, while not revealing details of the vulnerability itself to customers. The security vendor's product must also be resistant to discovery of the vulnerability through trivial reverse engineering. An example of such a vendor would be an Intrusion Prevention System, Intrusion Detection System, Vulnerability Scanner or Vulnerability Management System vendor.

This clause seems to indicate that no open source projects are going to benefit from this `advanced notification' scheme. Since patches to open source code are, well, open source, they'd be construed as revealing the nature of the vulnerability, and so 3com won't release the vulnerability information. I really don't like the fact that this clause seems to be giving closed-source products and vendors a leg up when it comes to security notifications.

Program's (1)

edittard (805475) | about 9 years ago | (#13157760)

Program's what?

Hemos? Ignoramus more like.

Now This Makes Sense (1)

ZOverLord (902034) | about 9 years ago | (#13159518)

The only way you can get all color hats to really use their talents to rip apart, test, and validate where holes are located is CASH! Maybe, just maybe some standards will evolve on how to properly design, write and test software prior to releasing it to the public. There is no excuse with the tools available today for some of this stuff to actually make it past a QA department evaluation. If companies want others to locate problems, there is no reason why those OTHERS should not be paid for their time and effort.

Re:Now This Makes Sense (1)

egypt_jimbob (889197) | about 9 years ago | (#13160153)

Maybe, just maybe some standards will evolve on how to properly design, write and test software prior to releasing it to the public

It's called cleanroom programming [] (it's also known as "zero defect" see my school's [] cs427 about half way down the page)

.... let me think, how did _we_ call that..... (1)

damicha (874252) | about 9 years ago | (#13162299)



actually, between all the Billions I made from suckers, it is very difficult to actually pinpoint that kind of a revenue.....

oh, yes.............racketering............

that's the U.S. word for it......

good grief, nearly missed that one..........
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?
or Connect with...

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>