VeriSign Inc. vowed to expand iDefense's Vulnerability Contributor Program (VCP) when it purchased the Reston, Va.-based security firm earlier this month. Then an Austin-based competitor launched its own program to pay researchers
Tuesday, one day after 3Com and its TippingPoint division unveiled its Zero-Day Initiative (ZDI), Mountain View, Calif.-based VeriSign upped the ante, announcing big increases in what it will pay researchers for details on new security holes.
"Effective immediately, we will be doubling our standard pricing structure for vulnerability submissions," Michael Sutton, director of the iDefense Labs, said in a e-mail message to SearchSecurity.com. "As well, we are increasing the value of the incentive and retention reward programs and launching a new growth reward program."
Sutton noted in a follow-up phone interview Wednesday that both companies timed their announcements with the start of this week's Black Hat Briefings in Las Vegas and that "certainly [3Com] is competing with us."
Since a researcher's pay depends on what he or she delivers to either program, Sutton said it's hard to say which company is offering the sweeter financial incentives. But, he added, "For us the big picture is about trust and experience. I'm surprised it took three years for someone to start a competing program. The fact that we have three years of experience speaks for itself. I welcome the competition. It legitimizes what we do."
Sutton believes other security firms have been reluctant to follow suit for fear that their programs wouldn't work. "I think people were nervous," he said. "But we've proven it can be done well." He added that VeriSign's program has the edge because underground researchers already know they can trust it. "When a new person comes in there's hesitation," he said. "They want to know the company will follow through. We have a track record."
That said, Sutton left no doubt that VeriSign is taking 3Com's program seriously. "We know it's competition and we have to stay on top of things," he said. "No doubt about it -- we'll be competing on the financial front as well."
3Com spokeswoman Laura Craddick predicted the Zero-Day Initiative will stand the test of time because, unlike the VCP approach, her company will freely share its intelligence with the information security community.
"We are not reselling the information," she said. "We're giving it to the security community -- including other security companies -- for the greater good. People pay iDefense for the information they have. That's their business model. Our business model is that we protect people."
Joseph Payne, formerly iDefense's president and COO and now VeriSign's VP of intelligence, shrugged off Craddick's comments.
"One of our strengths is that we do make money by distributing intelligence," he said. "Because people are willing to pay for our intelligence, we can invest in the people and programs to expand our efforts. Arguing that free is better doesn't make sense to me. You have to have money to invest in the programs. And customers hold us to a high standard because they're paying for our services."
Details of VCP expansion
The VCP incentive program rewards the top three contributors for each quarter. Under the old pricing structure, the top three earned $3,000, $2,000 and $1,000, respectively. Now the top two will earn $5,000 and $3,000, respectively. The pay for the third-biggest quarterly contribution will remain at $1,000.
The retention program rewards the top five contributors each year. Under the old pricing structure, the top five contributors earned $5,000, $4,000, $3,000, $2,000 and $1,000, respectively. Now they'll earn $10,000, $8,000, $6,000, $4,000 and $2,000, respectively.
The new growth program will reward contributors that continue to increase their level of VCP participation, Sutton said. Under the program:
- Any contributor with at least five submissions in the current year will be eligible to participate.
- A contributor's submissions over the past 12 months will be compared to submissions in the 12 months before that.
- Those who make the grade will be paid annually.
- An individual must have been a VCP contributor for at least two years prior to the reward date in order to participate.
- The program will cover a July 1 to June 30 period, with the first payment covering July 1, 2005 to June 30, 2006.
- Contributors with submissions in the current year that equal or exceed submissions from the past year will receive a lump sum payment equal to 50% of all current year submissions.
- Contributors with submissions in the current year that equal or exceed twice the submissions from the past year will receive a lump sum payment equal to 100% of all current year submissions.
- Contributors with current year submissions that are equal or double past year submissions will receive a lump sum payment appropriately pro-rated between 50-100% of all current year submissions.
Details of the Zero-Day Initiative
Under 3Com's Zero-Day Initiative, the amount of the reward will depend on the severity of the security hole discovered, the firm said, adding that it will inform the maker of a flawed product when glitches are found while also updating its own security products.
Members of the ZDI program earn points each time 3Com purchases their vulnerability submission. The structure is similar to airline frequent flyer miles in that members accrue points each year on a dollar-for-dollar basis based on the aggregate dollar amount paid for vulnerability submissions during that calendar year.
"For instance, if the Zero Day Initiative buys your vulnerability for $5,000, then you receive 5,000 points for that submission," the company said on its Web site. "For all of calendar year 2005, if you received 31,000 points, then for calendar year 2006 you will be considered to have ZDI Gold status."
The levels of ZDI reward membership are:
- Bronze, worth 10,000 reward points;
- Silver, worth 20,000 points;
- Gold, worth 35,000 points; and
- Platinum, worth 50,000 points.
Bronze status includes a 10% automatic bonus on all vulnerability submissions over the next calendar year and a one-time bonus of $1,000. Silver status includes a 15% automatic bonus and a 125% ZDI reward points multiplier on all vulnerability submissions over the next calendar year, as well as a one-time bonus of $5,000 and paid travel and registration to attend DEFCON in Las Vegas.
Gold status includes a 20% automatic bonus on all vulnerability submissions over the next calendar year, a 150% ZDI reward points multiplier on all vulnerability submissions over the next calendar year; a one-time bonus of $10,000; and the same DEFCON travel package. Platinum status raises the automatic bonus to 25%, reward points multiplier to 200%, one-time bonus to $20,000 and both Black Hat and DEFCON travel awards.