3Com Offers Zero-Day Bounty

3Com Corp. (Nasdaq: COMS) today unveiled a new service it claims will help tackle the growing menace of zero-day security attacks (see 3Com Intros Zero Day Initiative).

Under the terms of the Zero Day Initiative (ZDI), 3Com will reward security researchers who notify it of vulnerabilities in either its own or other vendors products, as opposed to making the information publicly available. The researchers will receive a financial payment for signing the vulnerability information over to 3Com. The company will then notify other affected vendors, such as Microsoft Corp. (Nasdaq: MSFT) or Cisco Systems Inc. (Nasdaq: CSCO), so that they can resolve the problem, most likely in the form of a patch.

3Com will only disclose a vulnerability publicly once the affected vendors have been able to issue patches, according to Dave Endler, 3Com’s director of security architecture. Knowledge, however, is power in the security market. Although 3Com will make data about vulnerabilities freely available to other vendors, the company will ensure that its own customers are the first to get protected.

3Com will update its customers’ 3Com IPS (Intrusion Prevention System) firewalls via the Internet, according to Endler, but it will not tell users what the actual vulnerability is until any other affected vendors have solved the problem. ”The 3Com customers will receive protection, but they won’t know what they are being protected against until the vendor comes out with the patch,” he adds.

Endler is unwilling to say how much someone will get for selling vulnerability information to 3Com. The exec is also reticent about exactly how much money 3Com has put behind ZDI, confirming only that the firm has made “a significant investment” in the scheme.Zero-day threats target a previously unknown vulnerability in hardware or software before it can be fixed, and they are a growing headache for IT managers. Because the attacks are unforeseen, it is extremely difficult for users to take precautions against them (see Security Approaches Day Zero and Is Zero Day a Cash Cow?).

3com's not the only vendor to flash a bit of cash in an attempt to stifle cyber threats. Earlier this month, Microsoft paid out $250,000 to two informants who helped nail the creator of the Sasser worm (see Microsoft Rewards Sasser Snitches).

A handful of companies have offered rewards for vulnerability information, such as Mozilla and iDefense Inc., which was recently acquired by VeriSign Inc. (Nasdaq: VRSN). (See VeriSign Snaps Up iDefense .)

But Carole Theriault, a consultant at security specialist Sophos plc, warns that a preponderance of reward schemes could cause problems of its own. “If I know of a security vulnerability, I am going to go to the highest bidder,” she says. “This will probably lead to a coalition being formed eventually.”

Another big challenge for 3Com is working out who they are dealing with, according to Theriault: “It’s a hazy world out there. I would like to think that they would look into who is giving them the information.”Although he did not provide any specifics, Endler says 3Com will be doing “a lot of due diligence” on its contacts. “Someone who is using this information maliciously is not likely to want it to be patched.”

The move into the zero-day space is part of 3Com’s strategy to re-invent itself as a security vendor. The company, which spent $430 million to acquire security specialist TippingPoint Technologies Inc. earlier this year, is desperate to shake off its consumer electronics image. Still, building up credibility as a security player has been cited as a major hurdle for the company (see 3Com's Enterprise Challenge, 3Com Closes TippingPoint Buy, and TippingPoint Trucks On).

Victoria Fodale, research analyst at In-Stat/MDR, thinks ZDI could help 3Com achieve this. “It does raise 3Com/TippingPoint’s profile,” she says. “Some vendors weren’t fixing their vulnerabilities in a timely manner, and this should help.”

— James Rogers, Site Editor, Next-Gen Data Center Forum