3Com announced a new Zero Day Initiative (ZDI), which is a security bug bounty program that will pay researchers for their discoveries. The program will also include a points accumulation program. 3Com intends to use the vulnerability information to better protect the customers of its TippingPoint Digital Vaccine service. The company said it will also share the information with other security vendors.
“Through this program, we seek to ensure that newly discovered vulnerabilities are managed, disclosed and remediated responsibly, so they don’t pose a threat to businesses,” said 3Com Chief Technology Officer, Marc Willebeek-LeMair. “The sooner we have information about a vulnerability, the sooner we can deliver protection to our customers. Ultimately, this benefits everyone: security and technology vendors, security researchers, end users, as well as 3Com and its TippingPoint division customers.”
Under the program researchers would submit their vulnerability reports and receive payment based on the scope of the problem based on certain criteria. Determining factors include whether the product is widely deployed, whether the problem can lead to system compromise, what privilege level the vulnerability leads to, whether the problem is part of default configurations, and whether the problem requires social engineering. Another factor is the potential value of a compromised system. For example, database and e-commerce servers might be more valuable than desktop systems to some intruders.
Researchers will earn one point for every dollar received in payment from 3Com. As the points increase so do the benefits. Researchers can also earn monetary bonuses as well as expense paid trips to the DEFCON and Black Hat conferences. More details are available at the Zero Day Initiative Web site.