iDefense ups the bidding for bugs

Both security specialists are vying to be the first to know about vulnerabilities in companies' products. The idea is to gain a competitive edge by having security products that recognize more vulnerabilities that may be exploited in cyberattacks.

In an e-mail Tuesday to the popular Full Disclosure security mailing list, iDefense announced that it is doubling its payments for vulnerability submissions. Additionally, the company is increasing rewards to researchers who contribute regularly and now offers extra payouts to those who increase their submissions year over year, the e-mail said.

Money has increasingly become an incentive for hackers. Programs such those from TippingPoint and iDefense offer a legitimate way for them to get paid for their bug hunting. There is also an underground market for information on vulnerabilities. Cybercriminals pay top dollar for previously undisclosed flaws that they can exploit to break into computer systems, experts have said.

iDefense said it did not make the changes in response to TippingPoint's competition, but to underscore its commitment to the program after being acquired by VeriSign two weeks ago. "However, it turns out that the timing is also good in that it helps us straddle the new competition," said Michael Sutton, a lab director at iDefense.

Both iDefense and TippingPoint work with the person reporting a bug to disclose it to the maker of the faulty software so a fix can be produced.

Only a few companies pay security researchers for finding software vulnerabilities. iDefense's Vulnerability Contributor Program has been around for three years. TippingPoint, part of 3Com, announced its Zero Day Initiative on Monday and will celebrate the launch Wednesday at the Black Hat security conference in Las Vegas.

TippingPoint will also try to sell its program to researchers at Black Hat, which runs through Thursday. Both companies will also market their programs at the Defcon hacker event, which begins Friday.

Neither company discloses what amounts are paid for vulnerability information. However, Gael Delalleau, a French security researcher who has sold information to iDefense in the past, told CNET News.com that the payout is typically between $300 and $1,000, depending on the vulnerability.

"That's less than a day's worth of consulting," he said in an e-mail interview.

Delalleau welcomes TippingPoint's

TippingPoint is not surprised by the competition. "There already was competition," said David Endler, director of security research at TippingPoint, also noting the underground market. "At the end of the day, the security researcher is going to be the winner."

Response to the programs has been mixed among security researchers. While Delalleau applauds the competition for adding to security intelligence, others distrust the security companies and wonder whether exploiting flaws or selling them to criminal hackers could be too much of a lure.

"Can the security companies truly be trusted to diligently help to find a fix when their product is, by its very nature, dependent on insecure applications?" said Keith McCanless, a security researcher who has been credited with finding security flaws in various products.

Emmanouel Kellinis, a security researcher in London, said he is certain many researchers would consider the programs if they can get paid. "On the other hand, there is a possibility that they can make more money by exploiting a vulnerability," he said.

Most Popular

Latest tech news headlines

• Report: AMD Phenom II chips echo Intel's i7

  Posted in Nanotech - The Circuits Blog by Brooke Crothers

  December 1, 2008 7:00 PM PST

• EFF to court: Don't shield telecoms from illegal-spying suits

  Posted in News - Digital Media by Greg Sandoval

  December 1, 2008 5:42 PM PST

• Apple suggests Mac users install antivirus software

  Posted in News - Security by Elinor Mills

  December 1, 2008 5:30 PM PST

• See all headlines

Markets

Market news, charts, SEC filings, and more

Related quotes

VeriSign (-12.64%) -2.73 18.86

3Com (-6.47%) -0.13 1.88

Dow Jones Industrials (-7.70%) -679.95 8,149.09

S&P 500 (-8.93%) -80.03 816.21

NASDAQ (-8.95%) -137.50 1,398.07

CNET TECH (-7.06%) -77.09 1,014.20

  Symbol Lookup