This is done confidentially, and the information is even provided to their competitors or
other vendors that have vulnerability protection or mitigation products. Researchers
interested in participating can provide exclusive information about previously undisclosed
vulnerabilities that they have discovered. Once the vulnerability has been confirmed
by 3Com??™s security labs, a monetary offer is made to the researcher. After an
agreement on the acquisition of the vulnerability, 3Com will work with the vendor to
generate a fix. When that fix is ready, they will notify the general public and other vendors
about the vulnerability and the fix. When TippingPoint started this program, they
followed this sequence of events:
1. A vulnerability is discovered by a researcher.
2. The researcher logs into the secure ZDI portal and submits the vulnerability for
evaluation.
3. A submission ID is generated. This will allow the researcher to track the unique
vulnerability through the ZDI secure portal.
4. 3Com researches the vulnerability and verifies it. Then it decides if it will make
an offer to the researcher. This usually happens within a week.
Chapter 3: Proper and Ethical Disclosure
69
PART I
Gray Hat Hacking: The Ethical Hacker??™s Handbook
70
5.
Pages:
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200