It’s air-points with a difference — the Zero Day Initiative (ZDI) is a 3Com TippingPoint programme that pays security researchers for finding unpublished vulnerabilities and reporting them to TippingPoint.
ZDI stacks up points for vulnerabilities reported by researchers — the more vulnerabilities reported the more points awarded. These points are then translated to a status system, where the higher the status the higher the annual bonus, as well as other rewards.
Currently, around 450 researchers are signed up to the ZDI programme, according to Bruce Cossill, 3Com’s New Zealand country manager. 3Com buys the information from the researcher and then provides its customers with a filter, or a vaccine, for the vulnerability through its intrusion prevention technology. The company also notifies the affected product vendor that there is a problem. Later, 3Com shares this vulnerability information with other security vendors, before making a public announcement.
Verisign has a similar programme. The iDefense Vulnerability Contributor Programme (VCP) pays people who provide iDefense with information about unpublished vulnerabilities and exploit code. Currently, there are more than 250 active VCP contributors, says iDefense. The company uses the information provided for its security alerts and also in the analysis service it offers its customers.
The amount informants are paid depends on a number of criteria, including the kind of information supplied, the amount of detail provided, how serious the threat is, and which applications and operating systems are affected, as well as the number of users of the affected application.
But, to take a leaf out of Terry Pratchett’s books: if people are paid for every dead rat they hand in, is there not a risk that rat breeding will increase?
Local security expert Nick FitzGerald believes that encouraging people to find and report vulnerabilities could turn out to be a risky business. While security companies argue that they are doing a good thing by informing affected vendors about reported vulnerabilities — and that they are preventing the “bad guys” from exploiting said vulnerabilities — there could also be significant disadvantages, says FitzGerald.
“It’s probably too soon to tell, but it may be that, in encouraging more people to look for vulnerabilities, we have greatly enhanced the skill-set and expertise [to find vulnerabilities] within a large and diverse group of people who might not otherwise have put the time and effort into trying to make these types of discoveries — and becoming good at it,” he says.
The black market is able to — and prepared to — pay more for vulnerability information than the people who are supposedly “the good guys with the good motivation”, says FitzGerald.
It comes down to the individual researcher and whether he or she accepts money from the reward programme or decides instead to sell the information, for a much larger sum, on the black market, he says.
“If there are a lot more people now with the [required] skill-set making that choice the probability is that more of them are going to go to the bad side,” he says.
Botnet groups and large spammer groups, which are often closely affiliated, have been known to go out and say they are looking for zero-day vulnerabilities and that they will pay “top dollar” for them, says FitzGerald.
“They basically say, ‘Why waste your time and effort going to [security companies] when you can make the real money with us?’.”
FitzGerald thinks that most vulnerabilities reported via security companies’ reward programmes come from the “white hat” research community. But some information may be coming from the criminal underworld. It could happen that hackers find vulnerabilities that are useless to them at a particular moment, he says.
“Some people would be inclined to sit on [the vulnerability information] until they have a target where they can use it and hope, in the meantime, that no one else discovers it,” he says. “Or they might decide to cut their losses and take the $1,000 or whatever it is that [the reward programme] will pay them.”
FitzGerald is an antivirus researcher and, at the moment, is contracting to CA.
TippingPoint (TP) currently has 3,000 filters under the umbrella name “digital vaccines”, says 3Com’s Cossill. This number grows constantly as every new vulnerability requires a new filter, or sometimes a number of filters, to be secured.
3Com also has five “lighthouse sites” across the world that monitor traffic. Typically, these sites are large, busy ISPs, he says. The TP boxes pick up malicious traffic and feed that information into “the machine that makes the vaccine”, which is based in Austin, Texas, he says.
TP intrusion-detection software sits at the front of an organisation and checks everything coming in from the internet to the corporation.
The TP appliance polls the threat-management centre every half an hour to see if there are new filters to be downloaded.
3Com does not have a New Zealand office, nor does it plan to open one. Instead, the company wants to invest more in its partners here, says Cossill.