Researchers flock to report holes for cash

3Com has published details of the third critical hole to be uncovered under the auspices of its controversial
" data-old-href="
">Zero Day Initiative

The new vulnerability - discovered in software from Novell - has been fully patched, and relates to a critical hole in Netmail 3.4.2 that could allow an attacker to compromise a host.

The important difference between this vulnerability and others that enter the public domain on a weekly basis is that a researcher will have been paid by 3Com for reporting it.

Launched by the company’s TippingPoint division in July, the project is understood to have signed up 200 researchers, who between them have submitted around 100 high quality vulnerability reports. Each researcher is said by 3Com to have been carefully vetted by the company before being accepted.

Only two vulnerabilities have so far been made public – one affecting Clam anti-virus, the other a remote execution hole in Veritas Netbackup.

The only other company known to use money as an incentive for vulnerability reporting is Mozilla, which is said to offer a $500 bounty for anyone finding security issues in its browser.

The company had no problems with the idea of paying researchers to report security issues for cash as this encouraged and reported responsible disclosure. Without such an outlet, there was a danger that vulnerabilities would be put into the public domain before the vendor affected had time to react.

“Some researchers get very fed up working with vendors on disclosing publically,” said 3Com’s David Endler.

He predicted that an increasing number of such issues were going to become known about through private research rather than direct from security vendors, and the program dovetailed with this trend.

“The majority (of the holes) are remotely exploitable and critical vulnerabilities,” he added, by way of characterising the reported list of issues the company was still evaluating.

“Some are issues that might be more of a bug than a vulnerability.”

The company would be making public more vulnerabilities in the coming weeks and months, as the ZDI gained momentum, he said.

This story, "Researchers flock to report holes for cash" was originally published by


Copyright © 2005 IDG Communications, Inc.

Shop Tech Products at Amazon