Re: TippingPoint's 'Zero-Day Initiative' to Publish Unpatched Flaws

[Matthew Murphy <mattmurphy () kc rr com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Josh Bressers wrote:
> > I did the same thing with vulnerabilities I found before I came to 
> > TippingPoint, and others (notably eEye) also engage in this practice. 
> > Calling it extortion is completely out of line, IMO.
>
> What does this practice accomplish though?  As an outsider it seems that
> the goal here is to frighten people into purchasing your service lest they
> be compromised.

I engaged in this practice before I was hired by TippingPoint.  If 
you're an individual or organization with enough visibility (which I 
probably was not, but TippingPoint is), it can really turn heads to name 
vendors whose products have had vulnerabilities go unremedied for 
extended periods of time.  The sheer number of vulnerabilities acquired 
and the severity of the issues that ZDI deals with means vendors who end 
up with vulnerability reports consistently lagging in queues at 
TippingPoint may have a PR problem on their hands.  The researchers who 
contribute to the ZDI are aware of this, and as a result, this type of 
"pipeline" information was widely requested of us.

We also gain from having the TippingPoint name associated with the 
publicity that the public reports generate.  The calculation is not one of:

"If we don't buy TippingPoint, we'll be compromised."

That's not our goal.  3Com shares the details of issues acquired through 
the ZDI program with other security vendors (including competitors) for 
use in their products, if they can meet a minimum standard for 
resistance to reverse engineering of the vulnerability information. 
What we DO want customers to recognize, however, is that TippingPoint is 
the only company out there who's willing to put our money where our 
mouth is and go after the best threat information we can buy.

While you shouldn't take what I've said here as official (I don't speak 
as a company rep), I believe TippingPoint has much to gain from putting 
information out there in an aggressive, yet responsible manner.  I also 
believe that TippingPoint's end goal is not to inspire fear in 
competitors' customers, but confidence for our own customers that we go 
the extra mile.

-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.0.6 (Build 6060)
Comment: New (15 May '06) Key: Fetch from pgp.mit.edu; ID=0x2257C33F

iQIVAwUBRPOorXXzqEAiV8M/AQrufRAAp9oTVbw70xRoCapochaLumsUiZnPjmCR
XYeF5lsz0HEBUoVGQmu4/Q5hK7dK+UJ2KKdMSx2GpGaF8rqiy+A7IWh146P6dbDF
4MhKMMrIR9MzRjIVaaBilvuWDCCb6H3s8/GEg+g9eoUmzbfYVSuFAGHvAngYgEfr
SOXVyA8s/4mQvrDlAB9BjGx86U2iHb5QCetB6cjWx2QcFF1aRHO1abk+W2w8LZDC
BCAE+dJYSfBNCj+z+BcF6goFl8m8T9rt5FEGdkXc975lE8ojf6vr/+RJCex3W5eP
mXHtanKKKj1w3129ZUsisFnFscTRjByi4QFMvJXgDF1dbhF4SpUdQ90/rKteOwBG
Uy6Zvjmy3SS5Qh55UpCg3Sj4T9UjA9ZAt51GElp3er8sE/Z44jny05B2oocfgMWE
6Kj3n9sgH1Ka6zDcyB3fTkP29XK59i6L0oJLAX+FyojRdz2SA1wzx69M6+gPf99j
2AC9k+r2Kb7alszh87vvcf5LtKVVmaeVLuH5phQ88VMFOo+JIKm+rX0P7ODx7OdX
jUQtH3y5lOE9MbiRuo5PNAbOGBU8w3lBhU71tMR4YjH9oSUPtJKCtDRN+sLAubYg
reH4AkKWxpY1JXP6S315oJyWJ9LaMMAsi75+ELFwLr2mGozt1aGb217DK1bBKpeV
JTB82fakYy4=
=pOnT
-----END PGP SIGNATURE-----
_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.