3COM 0-day initiative

3COM, through its TippingPoint division is creating a vulnerabilities market. They offer compensation for vulnerabilities found, and seem to have a responsible notification process.

The security researcher offers his finding to 3COM, and they decide how much it’s worth. The researcher then choses whether to accept or reject the offer. Now, this isn’t a real market, as there’s only one legit buyer – I’d like to see this done in a broker scenario, offering the sale to the highest bidder (presumably including the OEM responsible for the vulnerability). This would put pressure on the vendors to get their software fixed before shipping.

3COM doesn’t state (at least in what I skimmed) if they charge the OEM for the information. Their financial motivation seems to be that their IDS product is more up-to-date than the others because they have first-crack at the information.

This process exposed a QuickTime vulnerability that’s exploitable through a web browser allowing Java to execute (presumably through the QuickTime for Java bridge). This is just an illustration of the fact that as you expose more of the outside of the sandbox, your risks increase. Shore up your sandbox with NoScript, which, incidentally, now offers some XSS protection. This was previously reported in the press as a Safari vulnerability, but it’s not – it’s exploitable through Firefox too.

The only downside to this whole process is that they’re not allowing blackhats to play. They want to be able to file the proper IRS forms, they say, but I can’t see why fees to blackhats necessarily cause a problem here, especially if the funds are wired off-shore. Extortionists are paid all the time by big online companies, and there are no IRS forms there. This is some kind of excuse on 3COM’s part, but I’m not sure what they think their exposure is by allowing the blackhats to play – their products would increase in value just the same, and vendors still get their products fixed. Right now, the blackhats have to turn to a Mafia to get money for their codez, so IRS or not, allowing blackhats in only improves the security situation, and perhaps turns a few blackhats into whitehats.