3Com has identified a vulnerability in a popular Linux anti-virus program, the fourth time bug bounty hunters have cashed in on the reward the company's TippingPoint division pays for digging up software flaws.

Since July 2005, TippingPoint has paid researchers for uncovering vulnerabilities. The program, dubbed "Zero Day Initiative," to make clear it was only forking over cash for zero-day bugs, doesn't publish a reward rate structure. 3Com uses the information it acquires from the bounties to add protection via its Digital Vaccine service.

"The ClamAV vulnerability is the fourth vendor vulnerability disclosed through ZDI with a corresponding patch," said David Endler, director of security research for TippingPoint, in a statement. "By ensuring threat information remains confidential until a patch can be issued, we are helping strengthen security for all technology users and reducing the risk of zero day attacks."

Tipping Point notified the developers of the open-source ClamAV anti-virus program of the bug in mid-December. On Monday, the group posted a security update to fix the heap overflow flaw.

iDefense, a security intelligence company owned by VeriSign, also has a bug bounty program.