In-Depth

Zero Day Initiative Trades "Points" for Vulnerabilities

Know of a harmful vulnerability that hasn’t gone public? A new program wants to hear about it.

• By Mathew Schwartz
• 08/02/2005

How can businesses better protect themselves against unknown software flaws (vulnerabilities) and the so-called zero-day exploits that target them?

A new program, the Zero Day Initiative (ZDI), launched by TippingPoint, a division of 3Com in Marlborough, Mass., wants to help by compensating security researchers for sharing their vulnerability discoveries. “Increasingly, an ecosystem is developing around technical security research knowledge concerning as-yet-undisclosed vulnerabilities,” notes 3Com. “We believe that one effective way to capture this data is by establishing a best-of-breed research clearinghouse and community.”

The goal is to better manage unknown vulnerabilities, from discovery through patching to public disclosure. “Through this program, we seek to ensure that newly discovered vulnerabilities are managed, disclosed, and remediated responsibly, so they don’t pose a threat to businesses,” notes Marc Willebeek-LeMair, 3Com’s chief technology officer.

From 3Com’s perspective, the goal is to more quickly update its security products with new vulnerability information. “The sooner we have information about a vulnerability, the sooner we can deliver protection to our customers,” says Willebeek-LeMair. Even so, he says 3Com will share the information with other “security and technology vendors, security researchers, [and] end users.”

At stake is the security of corporate networks, and related issues of information security and employee productivity. “Viruses or worms that take advantage of vulnerabilities that vendors are not yet aware of can be devastating to an organization,” notes Victoria Fodale, an analyst at In-Stat Research. “3Com’s initiative is a positive step for the industry,” she says. “Both vendors and customers stand to benefit.”

Vulnerability Portal

Want to get involved? Security researchers can offer their vulnerability findings via the ZDI portal. 3Com says it will acknowledge receipt of the information within about three business days, and make a definitive offer, or not, within about a week. The researcher can then accept the offer or refuse and walk away without 3Com keeping the information.

What boosts the value of an offer? 3Com says it will evaluate whether: the affected product is widely used; exploiting the flaw could compromise a client or server; the flaw is found in default configurations or installations; the affected products are high-value, such as databases, DNS, routers, and firewalls; and social engineering would be involved to make the attack successful.

Researchers don’t get paid cash for every accepted vulnerability, but rather gain points—one for each “dollar” offered for their vulnerability—in a structure similar to an airline frequent-flyer program. A set number of points in a given year earns the researcher bronze, silver, gold, or platinum status. Each level brings a one-time cash payment, from $1,000 for bronze to $20,000 for platinum.

There are additional perks. Researchers who hit the silver level will get travel costs covered and registration paid for the DEFCON Conference in Las Vegas. Unless a security researcher chooses anonymity, 3Com says the researcher will receive credit for discovering the vulnerability when it’s announced publicly.

Like many security software vendors, 3Com already researches vulnerabilities. Still, “this program will extend our research organization even further, and enable us to tap some of the brilliant minds in the global security research community,” notes David Endler, the TippingPoint director of security research.

While 3Com will have a lead on using the vulnerability information researchers provide, it says while it will update the vulnerability filters in its products, it won’t tell customers what those filters do until the vulnerability is made public.

3Com says it will also offer the vulnerability information to other legitimate security vendors—for example, for intrusion detection and prevention systems, vulnerability scanners, and vulnerability management systems. To qualify, however, “the security vendors must be in a position to remediate or provide protection of vulnerabilities with their solution, while not revealing details of the vulnerability itself to customers,” says TippingPoint. Furthermore, “the security vendor’s product must also be resistant to discovery of the vulnerability through trivial reverse engineering.”

The ZDI program will begin on August 15, 2005.

For more information on the project, visit http://www.zerodayinitiative.com