.

Zero Day Initiative by 3Com's TippingPoint

<<

don

User avatar

Administrator
Administrator

Posts: 4226

Joined: Sun Aug 28, 2005 10:47 pm

Location: Chicago

Post Mon Sep 04, 2006 10:02 pm

Zero Day Initiative by 3Com's TippingPoint

The Zero Day Initiative is setup to pay security researchers for their exploits. Recently, they announced their intentions to release general info about exploits that have gone unpatched for an extended period of time in the hopes of putting pressure on the vendor. Here's some more info:

Over the past year, the most resounding suggestion from our Zero Day Initiative researchers was to add more transparency to our program by publishing the pipeline of vendors with pending zero day vulnerabilities.

The following is a list of vulnerabilities discovered by researchers enrolled in the Zero Day Initiative that have yet to be publicly disclosed. The affected vendor has been contacted on the specified date and while they work on a patch for these vulnerabilities, TippingPoint customers are protected from exploitation by IPS filters delivered ahead of public disclosure.


Check it out:
http://www.zerodayinitiative.com/upcomi ... ories.html

Don
CISSP, MCSE, CSTA, Security+ SME
<<

jimbob

Post Tue Sep 05, 2006 4:27 am

Re: Zero Day Initiative by 3Com's TippingPoint

By paying authors for zero day exploits I assume they are buying the intellectual property behind it i.e. discovery and development. This might seem attractive to the writers for exploits but I fear it would tie their hands when it comes to full public disclosure. I have no problems with security researchers being rewarded for their work but isn't this tying in the latest exploit detection/protection to a single vendor and a single product?

Jim
<<

don

User avatar

Administrator
Administrator

Posts: 4226

Joined: Sun Aug 28, 2005 10:47 pm

Location: Chicago

Post Tue Sep 05, 2006 9:54 am

Re: Zero Day Initiative by 3Com's TippingPoint

They have an FAQ that answers a lot of the small details.

http://www.zerodayinitiative.com/faq.html

Not pushing this group or supporting them in any way. I just thought it might spur more conversation if people also saw the FAQ.

Don
CISSP, MCSE, CSTA, Security+ SME
<<

oleDB

User avatar

Recruiters
Recruiters

Posts: 236

Joined: Thu Jul 20, 2006 8:58 am

Location: HOA

Post Tue Sep 05, 2006 7:11 pm

Re: Zero Day Initiative by 3Com's TippingPoint

I think this is great, because it raises awareness on how slow the vendors are to release security patches that the public doesn't know about. Also, several companies pay for exploits not just tipping point, so its not really vendor specific, however I don't know whats to stop a researcher for selling his work to multiple vendors. I think vendors should get between 3-6 months to patch  a critical vulnerability depending on how much code they have to review. Waiting several years like MS did with some of the PNG vulnerabilities so pathetic it should be illegal.

Return to Links to cool sites.

Who is online

Users browsing this forum: No registered users and 1 guest

cron
.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software