Security Vendors Offer More Cash For Bugs

Who knew that software bugs could be worth so much money? Security vendor TippingPoint, a division of 3Com Corp., earlier this week launch an initiative that includes payments to researchers and hackers that supply the company with information about security vulnerabilities. Rival iDefense Inc. countered that on Tuesday when it offered to double the rewards it pays out for vulnerability information.

Neither company would be specific about the amount of money they're paying for bug reports, although analysts said payments could range from a couple of hundred dollars to as much as $1,000 per bug. The rewards, revealed while the security industry gathers in Las Vegas this week for the Black Hat security conference, show how much security vendors value being first to know about and first to develop a countermeasure for new potential security threats.

Both vendors will try to only work with "white hat," or good-guy, ethical hackers, not those who are committing crimes such as identity theft. Of course, it's not always easy to know if somebody submitting information about a software flaw is a good guy or a bad guy. Another problem, says Pete Lindstrom, founder and analyst at Spire Security, could arise if people investigating security vulnerabilities begin to think more about cash rewards than about helping the software industry improve its products. And if they start peddling their information to the highest bidder, they may end up selling information about software flaws to criminals, who can probably outbid security firms in order to find about vulnerabilities that they can exploit for profit.

IDefense says it doubled payments to show that it's committed to the program even after being acquired by VeriSign Inc. The company also says it will pay more to security researchers and hackers who provide it with information on a regular basis, and it also will pay more to those who increase their submissions year over year. The company has been paying for such information for about three years.

Paying for information about software vulnerabilities will have limited success, says Robert Ayoub, a security analyst for research firm Frost & Sullivan. "I think there are industry trust issues dealing with an underground community," he says. And selling information to the highest bidder raises serious questions. "Will [security vendors] pay me the most or will the spyware writers?"

TippingPoint's Zero Day Initiative aims at the responsible disclosure of security vulnerabilities. The company will reward researchers who turn in the new software vulnerability data instead of publicly releasing it. TippingPoint then will forward the information to developer of the software, giving the vendor time to develop a patch. TippingPoint says it won't publish any information until the vendor has deployed a fix.