Two weeks ago, VeriSign announced that it had made a deal to acquire iDEFENSE (see URL below). You probably know that iDEFENSE routinely pays security bug hunters for exclusive access to their discoveries. iDEFENSE then uses such information to work with vendors to create solutions to the problems. The company also uses that information to update the products that it sells to its customers.
This week, TippingPoint, a division of 3Com, announced it too will institute a bug bounty program. The new Zero Day Initiative will pay bug hunters for their discoveries, work with vendors to develop fixes for those problems, share the discoveries with other security vendors, and subsequently release some amount of information about the problems after a vendor has released a solution.
As iDEFENSE has shown, bug bounty programs are a concept that work. The concept does, however, raise a couple of interesting questions. The first is why don't vendors have their own bounty programs for problems related to their products?
The only entity I know of that pays for security bug reports regarding its products is Mozilla Foundation, which announced its program in August 2004. Dozens of security problems have been corrected as a result, and the foundation has paid thousands of dollars in rewards to the various discoverers. Obviously, the program is working.
Certainly, in some cases, a flaw found in a product can be a detriment, particularly when the discoverer releases vulnerability details before the vendor is notified that the vulnerability exists. However, it seems to me that an in-house bug bounty program is a partial remedy that could encourage discoverers to report a flaw to the company first (or forfeit the bounty) and mitigate at least some unfavorable media attention.
The second question that comes to mind is why do companies such as 3Com and iDEFENSE go it alone in their bug bounty programs? The concept could readily become an industry-wide collaborative effort. Product and service vendors (including those who benefit by operating businesses related to information security) could band together to form a group designed specifically to pay security researchers for their discoveries. A group like that could improve overall security for everyone by stemming the haphazard release of security vulnerability details before people have a chance to protect themselves. A collaborative effort would even help protect people who don't use computers (but whose private information is nevertheless stored on bank, credit card company, and mortgage company computers). Forming such a group seems like a great idea. I can only imagine why the industry hasn't already taken the initiative to do so.