3Com Corp. (Nasdaq: COMS) today unveiled a new service it claims will help tackle the growing menace of zero-day security attacks (see 3Com Intros Zero Day Initiative).
Under the terms of the Zero Day Initiative (ZDI), 3Com will reward security researchers who notify it of vulnerabilities in either its own or other vendors products, as opposed to making the information publicly available. The researchers will receive a financial payment for signing the vulnerability information over to 3Com. The company will then notify other affected vendors, such as Microsoft Corp. (Nasdaq: MSFT) or Cisco Systems Inc. (Nasdaq: CSCO), so that they can resolve the problem, most likely in the form of a patch.
3Com will only disclose a vulnerability publicly once the affected vendors have been able to issue patches, according to Dave Endler, 3Coms director of security architecture. Knowledge, however, is power in the security market. Although 3Com will make data about vulnerabilities freely available to other vendors, the company will ensure that its own customers are the first to get protected.
3Com will update its customers 3Com IPS (Intrusion Prevention System) firewalls via the Internet, according to Endler, but it will not tell users what the actual vulnerability is until any other affected vendors have solved the problem. The 3Com customers will receive protection, but they wont know what they are being protected against until the vendor comes out with the patch, he adds.
Endler is unwilling to say how much someone will get for selling vulnerability information to 3Com. The exec is also reticent about exactly how much money 3Com has put behind ZDI, confirming only that the firm has made a significant investment in the scheme.
