Security firm offers bounty on bugs

Found a security bug? TippingPoint will pay you for the details.

TippingPoint -- part of 3Com -- is soliciting hackers to report vulnerabilities in exchange for money. If a valid bug is found, TippingPoint will notify the maker of the flawed product and update its security products to protect users against exploitation of the flaw before an official patch has been released.

"We want to reward and encourage independent security research, promote and ensure responsible disclosure of vulnerabilities and provide 3Com customers with the world's best security protection," David Endler, director of security research at TippingPoint, said in an interview.

TippingPoint sells intrusion prevention systems, which are designed to protect against vulnerabilities, on servers, desktops and other computers connected to an organisation's network.

The payments are being offered under TippingPoint's new 'Zero Day Initiative'. The company plans to announce the programme today and celebrate the launch with a party in Las Vegas on Wednesday, the first day of the annual Black Hat Briefings, an event for security professionals and enthusiasts.

Few companies offer rewards for pinpointing software vulnerabilities. The rewards are almost always paid by security companies for flaws in other companies' software products. The payouts are used to gain a competitive edge over rivals by having their products recognise more vulnerabilities.

Security intelligence firm iDefense, which was recently acquired by VeriSign, and the Mozilla Foundation also pay security researchers, or hackers. Mozilla offers $500 and a Mozilla T-shirt to those who find critical security flaws in its products, which include the Firefox Web browser.

Money has increasingly become an incentive for hackers. Programmes such as TippingPoint's offer a legitimate way for them to get paid for their bug hunting. There is also an underground market for vulnerabilities. Cybercriminals pay top dollar for previously undisclosed flaws that they can then exploit to break into computer systems, experts have said.

Bugs can be reported to TippingPoint through the Zero Day Initiative Web site. TippingPoint investigates all reports and will deal only with reputable researchers, Endler said. "We need to know exactly who we are working with," he said. "We don't want to work with black hats or illegal groups." Black hat is a term used to distinguish criminal hackers.

If a flaw is found to be genuine, TippingPoint will make an offer. The amount depends on the scope of the vulnerability. A problem that lets an attacker remotely access a computer will fetch more than a bug that could only crash a system, for example. If the researcher takes the offer, the rights to the bug report are signed over to TippingPoint, Endler said.

An unspecified time after protecting its own customers and before a fix is released, TippingPoint plans to share vulnerability details with other makers of intrusion prevention products. "We're making an altruistic gesture to protect a larger segment rather than just our customer base," Endler said.

Those who report flaws to TippingPoint will get credit for their discovery and can keep track of the status of the bug report through the Zero Day Initiative Web site, Endler said. A special reward programme makes it lucrative to contribute multiple vulnerabilities, he said.