Bidding for bugs?

TippingPoint's new Zero Day Initiative has some security researchers seeing dollars in their eyes. There now is another place to go to with information on security vulnerabilities, aside from underground buyers that is. TippingPoint and rival iDefense may end up bidding against each other for details on bugs.

"We will see a legal market appear to trade vulnerability information. If a good price comes out from the competition between the actors of this market, it will definitely attract more people to legal security research," Gael Delalleau, a security researcher in France who has contributed the iDefense program, told CNET News.com.

TippingPoint is celebrating the launch of the Zero Day Initiative at the Black Hat Briefings security event in Las Vegas on Wednesday. The company has not disclosed how much it will pay for flaws, iDefense also does not disclose what it offers.

Before TippingPoint, a unit of 3Com, joined, iDefense was the main legal buyer of vulnerability information, according to Delalleau. "It was like a monopoly," he said. Delalleau is happy to see change, but would like to see more programs from various countries and companies. "To keep a balance and not export all sensitive knowledge to the same group of people," he said.

On average, iDefense may pay between $300 and $1000, depending on the vulnerability, Delalleau said. "That's less than a day worth of consulting," he said.

Aside from getting a fair price for research work, Delalleau hopes, bug bounty programs may help "kill the myth" about hackers and exploits. It is not some dark art. "Vulnerability research is just a skill," he said. "No black magic there."