Jul 27 2005

Zero Day Initiative

Published by Martin at 6:18 am under Hacking

Zero Day Initiative | 3Com | TippingPoint, a division of 3Com

I’m going to have to mull this one over for a while. 3Com and their subsidiary, Tipping Point, have started a program where they pay ’security researchers’ for finding flaws in programs. Of course, just because a large portion of these ’security researchers’ will be hackers, doesn’t mean that there is anything intrinsicly wrong the program. I’ll be curious to see what sort of vulnerabilities ZDI gets turned in to them.

Will this have any affect on the hacking community as a whole? I doubt it. You have three levels of hackers out there. First there are the ’script kiddies’, the people who are smart enough to use a tool, but won’t necessarily understand what it is they’re doing. None of these guys are going to be taking advantage of ZDI, unless they get real lucky.

Second level is where the real hackers start, people who understand programming, vulnerabilities and how to use the first to take advantage of the second. As I see it, this is probably who the program is aimed at. These are the people who are going to be digging into the programs and finding the majority of the vulnerabilities

Then you have the top ranks of the hackers, the guys who do it because it’s their passion, because it’s part of who they are. The guys who are in it for the money can probably make more working for the Mob or doing their own thing, rather than turning in their discoveries over to ZDI. They probably wouldn’t report anything until they’ve had a chance to use the vulnerability themselves.

Until vendors start acting responsibly to fix the vulnerabilities presented to them, something like the ZDI will need to exist. I think it was Oracle who recently sat on several serious vulnerabilities for over 6 months. Microsoft is getting better, but they still have problems getting patches out in a timely manner. It’s one thing for my systems to get compromised by a real zero day vulnerability, but when systems get owned because of a vulnerability that the vendor is sitting on, it’s the vendor’s fault.

Here’s another article on the the ZDI initiative from Eweek.com: Paying for Flaws: Undermining Security or Rewarding Good Deeds?

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

One Response to “Zero Day Initiative”

  1. # Axelon 27 Jul 2005 at 11:23 pm

    You forgot the most infamous group of hackers: the knowledgeable ones who do it for money. They’ll spit on the ZDI - and they are, in my eyes, the most dangerous ones.