Bidding war for vulnerabilities

#131 An interesting trend developed this week, after 3Com announced yesterday that it would pay rewards to individuals who provide information on product/software vulnerabilities so that theycould update their security products to mitigate the vulnerability. One day after this, IDefense (acquired by VeriSign two weeks ago) announced it would double its payouts for similar information.

Both companies are vying to be the first to know about security vulnerabilities in other companies' products. The payouts are used to gain a competitive edge over rivals by having their products recognize more vulnerabilities that may be exploited in attacks by cybercriminals. Money has increasingly become an incentive for hackers. Programs such those from 3Com and iDefense offer a legitimate way for them to get paid for their bug hunting. There is also an underground market for information on vulnerabilities. Cybercriminals pay top dollar for previously undisclosed flaws that they can then exploit to break into computer systems.

Only a few companies pay security researchers for finding software vulnerabilities. iDefense's Vulnerability Contributor Program has been around for three years. TippingPoint, part of 3Com, announced its Zero Day Initiative on Monday and will celebrate the launch Wednesday at the Black Hat security conference in Las Vegas.