Two important points about TippingPoint’s Zero Day initiative, where they plan to pay hackers for finding new vulnerabilities:

1. TippingPoint is exerting a form of mild negligence to increase the general risk associated with the Internet in the face of seeking competitive advantage. It’s not a big deal, but it is a little deal. I’ve said it a million time – there is no value to this for the community at large.

2. If TippingPoint needs to find new vulnerabilities in order to protect against "zero days" then it provides insight into how it markets its products. In this case, a zero day is a known vulnerability without a patch, not an attack against an "undercover" vulnerability (one that is only known by a few bad guys).

None of this is really that significant, to be honest, since the "black market" for vulnerabilities is not very robust to begin with. (Btw, while writing this, I realized I should distinguish between vulnerabilities associated with software vendors’ platforms like operating systems, databases, and web servers and vulnerabilities associated with an enterprise or organization’s web site – such as a known SQL Injection attack (not really a vulnerability, but you get my point hopefully). This posting applies to the former and not the latter).

Apparently, I also had this to say to InformationWeek:

"Another problem, says Pete Lindstrom, founder and analyst at Spire Security, could arise if people investigating security vulnerabilities begin to think more about cash rewards than about helping the software industry improve its products. And if they start peddling their information to the highest bidder, they may end up selling information about software flaws to criminals, who can probably outbid security firms in order to find about vulnerabilities that they can exploit for profit. "

I do recall making a throwaway comment that the money being offered likely wasn’t enough to significantly alter anyone’s particular affiliations to begin with, but I didn’t quite mean what this says. Close enough.