It seems we exaggerated the innovation of Com/TippingPoints controversial Zero Day Initiative.
The scheme pays vetted researchers to report vulnerabilities to the company in a responsible way, thereby avoiding these holes getting into the public domain and being exploited by criminals and hackers before patch has been written.
The bit that has upset some people is the idea of payment, the contention being that by offering cash for holes the company was risking creating a second-hand market for dangerous vulnerability information.
Now weve had it pointed out to us that the idea was actually pioneered by Verisign division iDefense Labs as long as three years ago. Where the 3Com program has come up with a tiny number of holes that it has been able to make public, iDefense claims to have had 120 this year alone (though see important qualification at the end of the article as to a difference between the programs).
"Year to date, iDefense has been responsible for vulnerabilities leading to nine of the 53 Microsoft security bulletins. This has lead to advance notification for iDefense/VeriSign clients an average of 82 days prior to public disclosure," says the Labs director Michael Sutton.
Over its existence the total number adds up to 1,200 vulnerabilities, roughly 50 percent of which were rejected outright. Thats quite a business iDefense has there.
There are a clutch of issues that come out of all this, but Sutton is quick to point out what the world was like when the company started. Reporting vulnerabilities was very difficult for researchers because many companies didnt have any reporting processes in place. It was all down to finding and convincing the right person in tech support, an arbitrary process at best.
The world has caught up with iDefenses thinking since then. There are still people who would rather not leave something as important as vulnerability reporting to the market, but paying for this information looks as good as any system in the long run.
None of this quite explains why vendors cant find an economic way of finding out this information for themselves. Or is the problem now far too big?
For the record, 3Com has asked us to point out that, unlike iDefense, it does not profit directly by re-selling vulnerability information.
"We only give the information to the affected vendor to fix and then only release the information once a patch is available. We do not issue or sell sample exploits/attacks on the vulnerability," a company spokesperson pointed out.