Just a note... it's Tipping Point (not Tripping Point.)  I'm not a member, yet, but have considered it, and I'm also looking at their IPS solutions (They're discussing partnering with me, for some of my clients, so I'm very interested in everything they're doing, right now...)

I'm not certain I'd like that piece, myself (if I were looking at it from the standpoint of someone who regularly tries to make money on these things,) as once you've submitted it, what's to stop Tipping Point (or whomever) from doing their own research on it, releasing it themselves, or coding things into their products as an 'advance knowledge' release, to give them heads up over other protection vendors.

Note, from Tipping Point's perspective, I COMPLETELY understand it, and as a security professional, in general, I don't have a problem with it, per se.  I'm not personally in any position where I want or need to monetarily gain from finding holes in outside code.  That doesn't mean that I wouldn't accept compensation if I find a new hole during a pentest - just that I wouldn't go looking through code for the sake of doing it, to make a profit, as other companies or individuals do.  But that's just me, and if it's what you're best at, more power to you, because you are using your talents to make the world a better place, in your own way.

Note - There's a fine line, in this world, between those who profit from others' mistakes, and those who profit for the greater benefit of others...  (While this falls into both categories, it becomes, to me, 'Which perspective or side are you acting from, when you submit the 0day?')  This is one of those very gray areas (not black and white) in the security world.  If you're doing it for good reasons, and making money while you're at it, that's great!  If you view it as trying to draw attention to xyz company's code, and really make them look bad (while still making money,) then to me, you're not being ethical.  Ethical, in my world, isn't intentionally making another vendor or developer look bad, but rather, working to help them, and their customers, to be more secure and trustworthy.  So programs like this one, when utilized properly, in an effort to benefit all, are, IMHO, good ones.

I only know that, for me in general, I have better use of my own time, NOT digging through code all day looking for issues, when I can be more valuable in educating customers, coworkers, the community at large, and others in all aspects of security, not JUST code.   

I fully agree, Ketchup. 

Like I said, to me, it's a very gray line, and I should've clarified, not just for the seller, but the buyer, as well.  I've never been a fan of 0day, so to speak, at least not in the way it's ever been handled.  And I don't know that there's ever going to be an easy way to 'regulate' it.  I think exchanging any money for them is just asking for trouble, unless the sole buyer was to be the vendor who wrote the code, and was willing to buy, for themselves, to remediate.  Otherwise, ultimately, there's too much room for error. 

However, there's also the devil's advocate position / opinion, that these 0day's may never come to light at all, until it's too late, if nobody is willing to buy in effort to remediate.  So it's a catch-22, regardless...

there's no insurance for either the buyer or seller in this matter. its like a drugsdeal (which go bad almost all the time, if we believe hollywood). both have something they want, but is it legit? how does either of the both party's know there not getting crossed? like hayabusa said, its like making a deal with the devil, hoping he's a saint. i'd like to see this initiative to work, but there has to be extream caution in getting this bulletproof.

Exactly.  (Thus my possibly signing on as a partner.)  I've been very pleased with their devices, and have only heard and seen good reviews on them.

in theory this goes completely against the purpose (mission and vision) of the company, making the whole idea ridiculous.