Security company looks to work with hackers

Security company Tipping Point is establishing the ‘Zero Day Initiative’ to pay security researchers for finding bugs in popular programs.

Tipping Point said it would share finds with other security firms.

Many small security companies exhaustively analyse programs, such as Microsoft Windows, for loopholes and bugs. Leaving bugs unpatched makes users of the programs vulnerable to exploitation by criminal hackers.

Tipping Point’s scheme capitalises on the large number of security researchers trying out exploits on software and aims to pay them for their work. Security researchers will be able to submit bugs to Tipping Point and, if the loophole is found to be real and serious, will receive a cash offer for what they have found within a week. Hackers could earn up to $50,000 a year by submitting bugs to the scheme.

Researchers will receive points for every dollar Tipping Point spends to buy the bug. The points will generate further rewards and benefits including cash bonuses and free tickets and travel to key industry conferences. Only legitimate security researchers are eligible to join the scheme.

Other security firms also offer financial rewards in return for bugs, including Idefense, which runs a Vulnerability Contributor Program offering cash rewards for bugs. Open-source browser-maker Mozilla gives $500 and a T-shirt to those that find critical bugs in its software.