Monday, May 07, 2007 2:52 PM
cmosby
McAfee Avert Labs Blog - Desperate Measures?
Desperate Measures?
Monday May 7, 2007 at 5:40 am CST
Posted by Rahul Kashyap
Trackback
Recently Gartner slammed 3Com’s TippingPoint division for sponsoring zero day contests without giving the vendor Apple Inc. a chance to fix the flaws before their patch release. They apparently paid $10,000 bounty to Dino Dai Zovi, a well distinguished security researcher at the recent CanSecWest conference.
Wow! It is rather ironic that a security company, who presumably wants to protect customers, will first put everyone to risk, not notify the vendor on time, and then release signatures! The anti-virus community, long the target of (bogus) claims that they write viruses to make money, wouldn’t touch a contest like this with a barge-pole. In fact, even staunch full-disclosure advocates note the ethical disconnect implicit in security companies producing content earlier than their competitors via such initiatives (see http://blog.ncircle.com/archives/2005/08/3coms_zero_day_initiative_cest.html and our premier issue of Sage.)
As security vendors, our mission is to protect our customers and the internet community at-large , not to create hype and FUD by giving the world a chance to exploit unpatched flaws!! Failing to disclose to anyone leaves the good guys in the dark - but supporting irresponsible disclosure give the bad guys night vision…
Source: Computer Security Research - McAfee Avert Labs Blog
Filed under: Security and Anti-Virus, Patch Management, Internet Applications