Offering a bounty for security bugs

Found a security bug? TippingPoint will pay you for the details.

TippingPoint--part of 3Com--is soliciting hackers to report vulnerabilities in exchange for money. If a valid bug is found, TippingPoint will notify the maker of the flawed product and update its security products to protect users against exploitation of the flaw until an official patch is released.

"We want to reward and encourage independent security research, promote and ensure responsible disclosure of vulnerabilities and provide 3Com customers with the world's best security protection," David Endler, director of security research at TippingPoint, said in an interview.

Austin, Texas-based TippingPoint sells intrusion prevention systems, which are designed to protect against vulnerabilities on servers, desktops and other computers connected to an organization's network.

The payments are being offered under TippingPoint's new "Zero Day Initiative." The company plans to announce the program on Monday and celebrate the launch with a party in Las Vegas on Wednesday, the first day of the annual Black Hat Briefings, an event for security professionals and enthusiasts.

A few companies offer rewards for pinpointing software vulnerabilities. The rewards are almost always paid by security companies for flaws in other companies' software products. The payouts are used to gain a competitive edge over rivals by having their products recognize more vulnerabilities.

Security intelligence company iDefense, which was recently acquired by VeriSign, and the Mozilla Foundation also pay security researchers or hackers. Mozilla offers $500 and a Mozilla T-shirt to those who find critical security flaws in its products, which include the Firefox Web browser.

Cash on the line
Money has increasingly become an incentive for hackers. Programs such as TippingPoint's offer a legitimate way for them to get paid for their bug hunting. There is also an underground market for information on vulnerabilities. Cybercriminals pay top dollar for previously undisclosed flaws that they can then exploit to break into computer systems, experts have said.

TippingPoint rival Internet Security Systems does not believe in paying for vulnerabilities, said Neel Mehta, the team leader of X-Force Research at ISS. The Atlanta-based security company does its own bug hunting, he said. "They are looking to get hackers to do their research for them. We don't agree with that. It comes down to who you want to be in business with," Mehta said.

Furthermore, iDefense's cash-for-bugs offer has mostly resulted in the discovery of low-level security vulnerabilities, Mehta said. "We don't see a lot of hard-hitting vulnerabilities being sold to security companies. Hackers want to keep those to themselves and use them to exploit systems in the wild," he said.

"I'd be surprised if the people who are finding these vulnerabilities in the hacker underground are motivated to sell them for a few thousand dollars to a security company, when they might make a lot more by holding onto them and using them for economically motivated hacking," Mehta said.

Bugs can be reported to TippingPoint through the Zero Day Initiative Web site. TippingPoint investigates all reports and will deal only with reputable researchers, Endler said. "We need to know exactly who we are working with," he said. "We don't want to work with black hats or illegal groups." The term "black hat" is used to describe criminal hackers.

If a flaw is found to be genuine, TippingPoint will make an offer. The amount depends on the scope of the vulnerability. A problem that lets an attacker remotely access a computer will fetch more than a bug that could only crash a system, for example. If the researcher takes the offer, the rights to the bug report are signed over to TippingPoint, Endler said.

For security researchers, the launch of the TippingPoint program might mean an opportunity to get more money for their work, said Gael Delalleau, who has contributed to both the iDefense and Mozilla programs.

"We will see a legal market appear to trade vulnerability information. If a good price comes out from the competition between the actors of this market, it will definitely attract more people to legal security research," the security researcher said in an e-mail interview with CNET News.com.

An unspecified time after protecting its own customers and before a fix is released, TippingPoint plans to share vulnerability details with other makers of intrusion prevention products. "We're making an altruistic gesture to protect a larger segment rather than just our customer base," Endler said.

Those who report flaws to TippingPoint will get credit for their discovery and can keep track of the status of the bug report through the Zero Day Initiative Web site, Endler said. A special reward program makes it lucrative to contribute multiple vulnerabilities, he said.

TippingPoint's system also could help security researchers to responsibly disclose their findings. Today, some security researchers get frustrated trying to find the right contact at large software vendors to work to get the bug fixed.

Last week, Alexander Kornbrust of Red Database Security decided to disclose six flaws in Oracle products because the database maker had not fixed the issues almost two years after he reported them.