by Marc Willebeek-LeMair

When it IS ethical for security companies to buy vulnerability information

Opinion
Sep 12, 20053 mins

Two industry insiders debate the issue of paying those who uncover security flaws.

Recently 3Com launched the Zero Day Initiative, a program designed to protect against zero-day vulnerabilities – unknown security flaws for which no patch exists. When a zero-day vulnerability is announced, all users of the affected technology scramble to protect themselves. This is costly, and the consequences are potentially severe. Everyone is vulnerable from the time a flaw is disclosed until the time a patch is deployed, which can be months.

Through the program, 3Com rewards researchers who responsibly submit vulnerability information instead of publicly announcing their discovery, putting organizations at risk. We give this information to the affected vendor to develop a patch, while protecting our customers with intrusion-prevention technology. The information is not made public until a patch is available. This background information provides the context in which we support rewards for security research.

There is a misperception that all security researchers are malicious hackers looking to do harm. In reality, there is a growing security research community that has evolved dramatically over the last few years. Today, those with the level of expertise needed to discover a vulnerability and recognize its significance is a global and sizable group. A very small minority are malicious hackers. It is not uncommon for security researchers to stumble onto a new flaw while doing their day-to-day security work. Why shouldn’t the well-doers be rewarded for responsibly handling this sensitive information?

Rewarding researchers can be compared with rewarding reporters who uncover a story. If a freelance reporter stumbles upon a great story, why shouldn’t he or she offer it to a publication for payment? Much like the way a publication checks facts in the story, 3Com validates the issues to find out if they are legitimate vulnerabilities. Most stories, like vulnerabilities, will eventually be uncovered. It’s best that the vulnerabilities are given to a group that will ensure they are handled responsibly.

Security researchers who work with vendors to alleviate a flaw are not malicious. Those with malicious intent can inflict damage by exploiting a vulnerability or selling it on the black market without notifying the vendor. Nonetheless, based on policy, 3Com will not work with known black hats. In order to receive payment, the researcher’s identity must be known and validated.

With zero-day vulnerabilities on the rise and the window of time before exploits shrinking, it is increasingly important to provide next-generation security. This includes the use of intrusion-prevention systems, which are unique in providing vulnerability protection through a regular update service. With the doors open for security research commerce, we can leverage the great minds that may be untapped to offer greater vulnerability protection for all technology users.

We believe paying security researchers will result in the responsible disclosure of vulnerabilities, which ultimately enhances security.

Willebeek-LeMair is CTO at 3Com. He can be reached at cto@3com.com.

The opposing viewpoint – by Christopher Rouland, CTO at ISS.

Face-off forum – What do you think? Read and post comments.