3Com makes an offer for the vulnerability, and the offer is sent to the researcher
via e-mail that is accessible through the ZDI secure portal.
6. The researcher is able to access the e-mail through the secure portal and can
decide to accept the offer. If this happens, then the exclusivity of the
information is assigned to 3Com.
7. The researcher is paid in its preferred method of payment. 3Com responsibly
notifies the affected product vendor of the vulnerability. TippingPoint IPS
protection filters are distributed to the customers for that specific vulnerability.
8. 3Com shares advanced notice of the vulnerability and its details with other
security vendors before public disclosure.
9. In the final step, 3Com and the affected product vendor coordinate a public
disclosure of the vulnerability when a patch is ready and through a security
advisory. The researcher will be given full credit for the discovery, or if it so
desires, it can remain anonymous to the public.
That was the initial approach that TippingPoint was taking, but on August 28, 2006,
it announced a change. Instead of following the preceding procedure, it took a different
approach. The flaw bounty program would announce its currently identified vulnerabilities
to the public while the vendors worked on the fixes.
Pages:
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201