Courtesy of PR Newswire Complimentary Monitoring
TALES OF THE TAPE:3Com Plan To Buy 'Bugs' May Rile Rivals
Dow Jones & Company, Inc. -- July 22, 2005
By Riva Richmond, Of DOW JONES NEWSWIRES
NEW YORK (Dow Jones)--3Com Corp. (COMS) thinks it has a way to be a good Samaritan in computer defense that is also good for business. But it might also rile its rivals.
The networking company said it plans to pay individuals for exclusive information on flaws they have discovered in software programs, which hackers could use to breach computer defenses. 3Com said its program, called the Zero Day Initiative, will limit the dangerous information that falls into the wrong hands via leaks on the Internet. The company told Dow Jones Newswires it will announce the initiative Monday.
The Marlborough, Mass.-based 3Com promises to keep what it buys confidential and work with software makers like Microsoft Corp. (MSFT) to fix the errors. If these companies agree, 3Com will share the information with competitors so they, too, can protect customers, as long as they don't reveal the flaws.
Of course, 3Com isn't just being charitable. While it won't give customers details about the bugs it buys, the information could give 3Com's TippingPoint security unit a competitive edge. TippingPoint said it will be able to protect customers if attackers try to exploit the flaws.
Demand - and competition - for intrusion-prevention products is red hot.
The market for products like TippingPoint's grew 87% between 2003 and 2004, according to research firm IDC - one of the fastest-growing segments of the computer-security products business, which grew 21% in the same period.
Critics, uncomfortable with providing monetary rewards for such information, say offering bounties could undermine the existing, more altruistic, methods of finding and fixing flaws, could encourage people to dig up more dangerous ones and could even end up lining the pockets of attackers.
"A black market's out there for this type of information, so it's high time we had a responsible way for channeling that information," said 3Com Chief Technology Officer Marc Willebeek-LeMair. The company said it won't work with known malefactors and doesn't expect those people to knock on its door.
The 3Com approach isn't new. IDefense Inc., which VeriSign Inc. (VRSN) recently acquired, pays researchers for rights to unpublished flaws and attack programs. It shares the information with affected software makers and customers of its intelligence services. Also, the Mozilla Foundation pays $500 bounties for information about security flaws in its open-source Mozilla Firefox Web browser.
But this isn't the norm. Right now, most independent researchers report their discoveries directly to software makers or to the non-profit,
government- supported Computer Emergency Response Team, which liaises with software companies. Discoverers get credit for their finds, but are rarely paid.
It isn't a perfect system, however. Some researchers release information because they feel it should be publicized or because they feel software makers are too slow to offer fixes. And some hackers sell or share their finds on a black market.
Given 3Com's size, its embrace of payments could prompt others to follow suit and might create a new market for flaws, said Marc Maiffret, chief hacking officer at eEye Digital Security, a vulnerability-management software maker.
Alan Paller, director of research at the independent SANS Institute,
agrees: " No other IDS [intrusion-detection system] vendor can afford to have its salespeople come back to the office and say 'I lost another sale to TippingPoint'."
TippingPoint said it will analyze flaws that researchers submit via a secure Web site and make a "bid" for exclusive rights; the bid will depend on the programming error's severity and how widely the software is used. Researchers will be able to track the progress of their finds toward public disclosure via the Web site.
TippingPoint, like iDefense, declined to disclose how much it will pay for the information, but Willebeek-LeMair said: "It'll be enough to make them excited and eager to come back with the next piece of information."
Security companies boast of their research prowess to win new customers, so 3Com's ability to get information on new bugs is likely to resonate with customers.
One 3Com customer, a senior IT-security manager at large media-services company who asked not to be named, said he isn't concerned with how TippingPoint finds out about flaws, or even if 3Com deals with unsavory and untrustworthy characters, if it means his network will be protected.
"The information is out there, and it's being shared," he said. "If I'm buttoned up, I'm happy."
Paller, from the SANS Institute, said iDefense has shown bounties work even if they are "oily." The company has attracted some valuable bug information, albeit not the most critical of errors.
"There are a lot of things that I don't like that are oily but are necessary," he said. "The economic incentives for finding them for only harm[ful uses] has skyrocketed in the last few years."
3Com's Willebeek-LeMair said the need for information lies in the rising threat of "zero-day attacks" where attackers exploit a software flaw for which there is no immediate fix, or "patch." Security experts say online leaks raise the risk of such attacks.
But most security-industry players don't like the idea of paying for such information.
Tom Noonan, chief executive of Internet Security Systems Inc. (ISSX), a TippingPoint competitor, argues companies can't be sure they aren't buying information from malicious hackers.
"Any time you aid and abet people who could be the enemy, you are structurally building a system that is not stable," he said.
An executive at a large competitor, who asked to remain anonymous, said the initiative has the potential for abuse because it might encourage freelance bug hunters to look for flaws in rival products.
TippingPoint said it has a record of working for the broad benefit of the security industry and Internet safety, and won't target competitors.
Bruce Schneier, chief technology officer at Counterpane Internet Security Inc., said paying for bugs will mean more get dug up. Research has shown that looking for, and disclosing, flawsdoesn't actually help the cause of security, since there are thousands more waiting to be discovered, he said.
But Microsoft, whose software is a top target of both bug hunters and attackers, doesn't oppose the 3Com program, saying in an email it "applauds any responsible effort that helps protect computer users."
-By Riva Richmond, Dow Jones Newswires; 201-938-5670; riva.richmond@ dowjones.com
(END) Dow Jones Newswires
07-22-05 1400ET
Copyright (c) 2005 Dow Jones & Company, Inc.
Copyright (C) 2005 Dow Jones & Company, Inc. All Rights Reserved.
Subject Codes: I/CMT, I/SOF, I/TEL, I/XDJGI, I/XDJI, I/XFFX, I/XGTI,
I/XISL, I/XNQ1, I/XSCI, I/XSP5, I/XSTX, P/70769, N/DJEN,
N/DJN, N/DJRT, N/CNW, N/CSU, N/DJS, N/DJSS, N/DJWI,
N/FCTV, N/IID, N/NET, N/PDT, N/POV, N/SNEW, N/TOT, N/WEI,
M/NND, M/TEC, P/CMR, P/EWR, R/CA, R/GA, R/NME, R/PRM,
R/US, R/USS, R/USW, R/WA
Company Codes: COMS, ISSX, MSFT, VRSN, US5949181045
You are receiving this Complimentary Monitoring transmission at no charge, as a benefit of your organization's membership with PR Newswire.
If you would like to stop receiving Complimentary Monitoring transmissions, please reply to this email with your request.
PR Newswire Association LLC, Distribution Services Department, 810 7th Avenue, New York, NY 10019
