Through the accursed Slashdot I learned of Tipping Point's Zero Day Initiative program. (Incidentally, I just figured out that Slashdot is like Saturday Night Live: we all remember it being a lot better years ago, it stinks now, yet we still watch.) According to this CNet story by Joris Evers, which cites TippingPoint's rationale for the program:
"'We want to reward and encourage independent security research, promote and ensure responsible disclosure of vulnerabilities and provide 3Com customers with the world's best security protection,' David Endler, director of security research at TippingPoint, said in an interview."
This program is similar to the iDEFENSE Vulnerability Contributor Program launched in 2002 amidst much fanfare. This April 2003 interview with iDEFENSE VPC Manager Sunil James is also enlightening. Part of the VCP is a retention reward program that paid a $3,000 bonus to the Danish CIRT and $1,000 to l0rd_yup for vulnerabilities reported to iDEFENSE in the first quarter of 2005. Some iDEFENSE advisories give anonymous credit to vulnerability discovers, like Sophos Anti-Virus Zip File Handling DoS Vulnerability, while others name their sources, like Lord Yup in Microsoft Word 2000 and Word 2002 Font Parsing Buffer Overflow Vulnerability. In some cases iDEFENSE Labs finds the hole, as in Adobe Acrobat Reader UnixAppOpenFilePerform() Buffer Overflow Vulnerability.
Thus far I have not heard much discussion about iDEFENSE's program, although it seems like the payout to the vulnerability researchers is dwarfed by the value earned by iDEFENSE. Otherwise I have not heard too many condemnations of the pay-for-bugs program and I have not heard of anyone suing iDEFENSE over a vulnerability produced through their VCP.
Looking at some of the details of the TippingPoint Zero Day Initiative, I found this item in their FAQ amusing:
"Since 3Com and TippingPoint customers are protected prior to the disclosure, are they aware of the vulnerability?
In order to maintain the secrecy of a researcher's vulnerability discovery until a product vendor can develop a patch, 3Com and TippingPoint customers are only provided a generic description of the filter provided but are not informed of the vulnerability. Once details are made public in coordination with the product vendor, TippingPoint's Digital Vaccine® service for the Intrusion Prevention System provides an updated description so that customers can identify the appropriate filters that were protecting them. In other words, 3Com and TippingPoint will be protected from the vulnerability in advance, but they will not be able to tell from the description what the vulnerability is."
Anyone who reads this blog knows I think this sort of "protection through secrecy" is ridiculous. If I can't figure out how a product is making its decision to "protect" me, I will try to avoid it. I certainly wouldn't want it blocking traffic on my behalf. What about anti-virus software, you ask? I don't run it on my servers!
This is also funny:
"Why are you giving advance notice of the vulnerability information you've bought to other security vendors, including competitors?
We are sharing with other security vendors in an effort to do the most good with the information we have acquired. We feel we can still maintain a competitive advantage with respect to our customers while facilitating the protection of a customer base larger than our own.
What types of security vendors are eligible for the advanced notice?
In order to qualify for advanced notice, the security vendors must be in a position to remediate or provide protection of vulnerabilities with their solution, while not revealing details of the vulnerability itself to customers. The security vendor's product must also be resistant to discovery of the vulnerability through trivial reverse engineering. An example of such a vendor would be an Intrusion Prevention System, Intrusion Detection System, Vulnerability Scanner or Vulnerability Management System vendor."
I am eager to see what vendors can live up to these requirements. Snort rules won't, and neither will Nessus NASL scripts.
I am uneasy about programs like this. Consider modifying Mr. Endler's statement in this manner:
"We want to reward and encourage independent security research, promote and ensure responsible creation of viruses and provide our customers with the world's best security protection."
A virus is malware launched by a threat; it's not a vulnerability. Publication of a vulnerability does not explicitly mean publication of new code to be used by threats. Still, it's not that difficult to move from vulnerability disclosure to exploit creation.
TippingPoint is basically paying researchers to justify the vendor's existence. No vulnerabilities = no need to buy a TippingPoint IPS. More vulnerabilities means more opportunities for threats to craft exploit code, and that justifies buying more IPSs.
How is this different from the Mozilla Bug Bounty program, you might ask? When Mozilla pays researchers to report vulnerabilities in Mozilla code, Mozilla is effectively outsourcing its security quality assurance program. This is done to improve the quality of the software released by Mozilla. When TippingPoint pays researchers to report vulnerabilities in anyone's software, and then keeps those vulnerabilities to itself (followed by limited disclosure), TippingPoint is justifying its product's existence.
You might also wonder what I think of Microsoft's $250,000 bonus to those who expose virus writers. I have no problems with such a program, and I see it as another way to remove threats from the streets.