Since July 2005, TippingPoint has paid researchers for uncovering vulnerabilities. The program, dubbed "Zero Day Initiative," to make clear it was only forking over cash for zero-day bugs, doesn't publish a reward rate structure. 3Com uses the information it acquires from the bounties to add protection via its Digital Vaccine service.
"The ClamAV vulnerability is the fourth vendor vulnerability disclosed through ZDI with a corresponding patch," said David Endler, director of security research for TippingPoint, in a statement. "By ensuring threat information remains confidential until a patch can be issued, we are helping strengthen security for all technology users and reducing the risk of zero day attacks."
iDefense, a security intelligence company owned by VeriSign, also has a bug bounty program.