A security company that pays hackers for information on software flaws and exploits plans to release a list of 29 unpatched flaws in products sold by a host of big-name vendors, including Microsoft, IBM, Apple Computer and Novell. The Aug. 28 disclosure from TippingPoint’s ZDI (Zero Day Initiative) flaw bounty program is a significant change to the way the 3Com-owned company handles the disclosure of vulnerability data it buys from external researchers. Instead of waiting for software makers to issue patches, TippingPoint will announce the flaw purchase in bare-bones advisories at the time the issue is reported to the vendor. Dave Endler, director of research at TippingPoint, in Austin, Texas, said the list of 29 includes six bugs affecting Microsoft; three affecting Novell; two each for products sold by IBM and Apple; and one each affecting AOL, Adobe and Sun Microsystems.