Security vendors enter bidding war for vulnerabilities

As security personnel met at this week's Black Hat Conference in Las Vegas, there was easy money to be made at the security vulnerability table.

Earlier this week, TippingPoint, 3Com's security division, announced it plans to reward security researchers and hackers who reveal information on newly discovered vulnerabilities as part of its Zero Day Initiative. TippingPoint will pay as much as $2,000 for a verified vulnerability, company officials said.

Now iDefense, a security intelligence firm recently acquired by VeriSign, has raised the stakes, saying it will increase its payments for information on vulnerabilities.

The idea of the Zero Day Initiativ" is to ensure the "responsible" disclosure of security flaws to make the technology more secure for all users, according to David Enderle, director of security research for TippingPoint.

"We believe security researchers want to be recognized for their discoveries, but currently they don't often do it in a responsible manner. They announce the vulnerability to the world and then it is a race between the software company and the hacker community to either build a fix or exploit the code," he said.

A "zero day" attack occurs when a researcher discovers a vulnerability and discloses the flaw to the public without first notifying the vendor. This puts businesses and individuals at risk from the time of the disclosure until the affected vendor issues a patch. Some patches can be made in hours, but even then it takes time for affected machines to download the patches.

Under TippingPoint's program, it will inform the affected company of the vulnerability and wait for a patch to be ready before releasing the information to the rest of the world.

Companies like Microsoft have long resisted paying for information on vulnerabilities, believing a bounty will just encourage hackers to find flaws.

IDefense, which provides security intelligence services to large commercial and government clients, has long paid for vulnerability information to pass on to its customers.

"I think this initiative is a positive step for the industry. The goal of the ZDI is to proactively protect businesses as soon as possible against newly discovered vulnerabilities. That's an issue enterprises are very concerned about," said Victoria Fodale, a research analyst for In-Stat.

Vulnerability disclosure was also an issue for the Black Hat Conference itself when former Internet Security Systems (ISS) research analyst Michael Lynn quit his job to provide information on a serious Cisco Systems router vulnerability at the conference. ISS decided not to give a presentation on the flaw, but Lynn quit so that he could give the presentation.

The vulnerability has been patched by Cisco, but some companies don't update patches regularly.  In his presentation, Lynn described a now-patched flaw in the Internetwork Operating System (IOS) software used to power Cisco's routers. Although Cisco was informed of the flaw by ISS, and patched its firmware in April, users running older versions of the company's software could be at risk, according to Lynn.