altruism at 3com’s Zero Day Initiative

3COM and TippingPoint launched a service called the Zero Day Initiative. They will buy exploitable software vulnerabilities, pay the “researcher,” protect their customers first and then inform other vendors. That’s a good idea: second motive to anonymous fame comes riches. Between having your illustrious alias known in the “research” community, you’ll get a hefty sum. That’s a very reasonable incentive structure.

However, reading the “How it works page” the warm fuzzy feeling diminished…

Instead, upon notifying the affected product vendor, 3Com provides its customers with zero day protection through its intrusion prevention technology. Furthermore, with the altruistic aim of helping to secure a broader user base, 3Com later provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product.

Come ON! Altruism is not in the vocabulary of any corporation. Is 3COM here to save the world or make money? Did 3COM become a non-profit organization? I got a chuckle out of that. I’m sure the marketeers who wrote that one thought they were very clever… “Hmmm… a word I’ve never used before.”

The other thing that bothered me, keeping the above conflict in mind is found on the same page (loosely quoted):

Step 5. 3COM makes an offer to purchase the vulnerability.
Step 6. Researcher accepts offer.

Even in the FAQ page, they conveniently avoid specifying what happens if the “researcher” does NOT accept the offer. Does 3COM, out of its altruism disclose the vulnerability anyway? Forfeit the agreement? Will they even get into a legal blunder if they chose not to?

3COM, I am genuinely interested in how you will deal with such cases?