Wednesday, July 27, 2005

Snort "Not Eliligible" for Zero Day Initiative

I recently wrote about TippingPoint's Zero Day Initiative (ZDI), a pay-for-vulnerabilities program. Thank you to the poster (whom I will keep anonymous) for notifying me of this article Vendors Compete for Hacker Zero Days by Kevin Murphy. It features this quote:

"[C]ompetitors will have to sign agreements to the effect that they will not irresponsibly disclose the information, and that any data they provide to their own customers cannot be easily reverse engineered into an attack, he [3Com’s David Endler] said.

"'Some technology based on Snort would not be eligible because Snort by its nature is open,' Endler said, referring to the open-source IDS software. 'But there are products based on Snort that are closed. We’ll have to take it on a case-by-case basis.'"

This means Sourcefire will never be able to learn of ZDI vulnerabilities. Any registered Snort user can download Sourcefire VRT rules and see everything except rules younger than five days old. VRT subscribers have access to the latest rules immediately.

It sounds to me like the only "technology based on Snort" that would be "eligible" would be sensors provided by a managed security services provider, or sensors sold without access to the console and rule sets. Such vendors could add ZDI-inspired rules but never let users see them.

I never thought for a minute TippingPoint would do anything to help Sourcefire, as they are two major competitors in the (misnamed) IPS market.


Axel Eble said...

So it's nothing but a marketing ploy. Surprise, surprise.

However, I don't buy into this Zero Day Initiative anyway. More often than not a full disclosure is the best way to go. I agree it's not very nice to the vendors but in return I've seen too many cases where the vendors did nothing to fix age old bugs. And, funny enough, they don't even give a reason for that. Makes one wonder.

Scott said...

Time to start the Snort -1 Day Initiative - Now With Proactive Synergy. More Markting speak to be added later.