3Com and its TippingPoint division today announced the formation of the
Zero Day Initiative (ZDI), aimed at ensuring the responsible disclosure of
security flaws, also known as vulnerabilities, in order to make technology
more secure for users. The goal of the zero day initiative is to proactively
protect businesses as soon as possible against newly discovered vulnerabilities.
As part of the program, 3Com will reward security researchers who
responsibly reveal information on newly discovered vulnerabilities, as
opposed to publicly posting the potentially harmful information,
catching businesses and vendors off-guard and unprotected. 3Com will
notify affected vendors of security flaws so they can immediately begin
working on a solution, most often in the form of a patch. The
vulnerabilities will only be disclosed publicly by 3Com once the
affected vendor is able to offer a solution to end users, mitigating the
threat. 3Com will also use the information to provide preemptive
protection to customers through its TippingPoint Digital Vaccine(r)
service. Additionally, 3Com plans to share vulnerability details freely
with other security vendors prior to public disclosure.
"Through this program, we seek to ensure that newly discovered
vulnerabilities are managed, disclosed and remediated responsibly, so
they don't pose a threat to businesses," said 3Com Chief Technology
Officer, Marc Willebeek-LeMair. "The sooner we have information about a
vulnerability, the sooner we can deliver protection to our customers.
Ultimately, this benefits everyone: security and technology vendors,
security researchers, end users, as well as 3Com and its TippingPoint
Vulnerabilities enable attackers to gain control of a system for
malicious purposes. They can also result in worms or Denial of Service
attacks, which can bring down entire networks. Zero day disclosure
occurs when the discoverer of the vulnerability discloses the flaw to
the public without notifying the vendor, putting businesses at risk from
the time of disclosure until the affected vendor issues a patch. It can
take vendors weeks or months to supply a patch.
Intrusion Prevention Systems (IPS), like TippingPoint's, are one of the
few methods of proactive protection. In addition to reducing
industry-wide security risks, obtaining advanced information on
vulnerabilities enables 3Com to offer its TippingPointTM IPS customers
even more preemptive protection than currently provided through the
TippingPoint Digital Vaccine update service.
"Our world-class security research team is already on the forefront of
the industry, well ahead of the game when it comes to providing advanced
vulnerability protection," said David Endler, Director of Security
Research for 3Com's TippingPoint division. "This program will extend our
research organization even further, and enable us to tap some of the
most brilliant minds in the global security research community. Prior to
the availability of a vendor-supplied solution or patch, our customers
will be protected against threats they aren't even aware of through our
Digital Vaccine service."
Many security researchers want to be recognized for their discovery, but
they don't always achieve that in a responsible manner. With this
program, the researcher is recognized for the discovery when the
vulnerability is publicly disclosed with the vendor's patch.
"3Com's initiative is a positive step for the industry," said In-Stat
Research Analyst Victoria Fodale. "Viruses or worms that take advantage
of vulnerabilities that vendors are not yet aware of can be devastating
to an organization. Both vendors and customers stand to benefit from
this program. 3Com and its TippingPoint division are to be commended for
taking this leadership position."