Web Insecurity

3Com’s Zero Day Initiative

July 25th, 2005

3Com has announced a new program to reward hackers and crackers alike to report their findings in hopes of obtaining zero day exploits faster.

This new initiative looks to reward those who report their vulnerabilities rather than exploiting them for personal gain. The website of this new initiatve can be found here.

The program looks to pay decently, if one can manage to acquire the required ZDI Points. It seems that those who submit enough vulnerabilities can get a paid trip to Defcon and Blackhat security conference, which isn’t a bad deal. The good news is, you only need 50,000 points. As to how many points you get per vulnerability — it is not published on the site. You will,however, get 2,500 points for refering somebody who does find a vulnerability however.

The example on the site gives the allusion of buying vulnerabilities for 5,000 dollars but I’m sure this is on the high end. You can see the tiered rewards program at ZDI Rewards Program More good news…they pay using paypal.

This is a great idea, if it ever gets off the ground. It’s still unsee how successful the attempt will be. I, for one, will be signing up with the site in hopes of reporting a few vulnerabilities. I may have a few problems, however, as the vulnerabilites I find are generally application specific and deal with a companies proprietary code rather than public and commonly used software.

It seems to be done right, they have a pgp key on the contact page, they pay using a variety of payments systems such as paypal and western union, and they agree to keep you anonymous if you so desire. The program is slated to go live August 15th.

Entry Filed under: Vulnerabilities