Vulnerability researchers are being invited to participate in a new program under which Secunia, a provider of vulnerability intelligence and vulnerability management tools, will confirm vulnerability discoveries independently of any software vendor, and handle coordination with the vendor on the researchers’ behalf.
The program, entitled The Secunia Vulnerability Coordination Reward Program (SVCRP) is open to any researcher who has discovered vulnerability in any software and would like a third party to confirm their findings and handle the co-ordination process with the software vendor for them.
As part of the program, Secunia will offer rewards to researchers who contact them with vulnerabilities they have found and who wish Secunia to coordinate them with the vendor. This comprehensive program is designed to be complementary to those run by other organisations and will cover all vulnerabilities as long as they meet Secunia’s criteria.
Carsten Eiram, Chief Security Specialist at Secunia, explains, “The fun part of vulnerability research is the actual process of discovering and understanding the vulnerabilities as well as creating proof of concepts or exploits; and not the sometimes extensive coordination and liaison process that follows with the vendor in order to fix the problem. Under the new program we will both confirm vulnerability discoveries and handle the coordination process, allowing researchers to focus on the more exciting aspects of vulnerability research.”
He continued, “Other major vulnerability coordination offerings exist but most have a business model wrapped around them. SVCRP is designed to be a complementary service to these. Most other schemes pay researchers for their discoveries, and, while these offerings are excellent for researchers, the companies are, naturally, very selective in which vulnerabilities they wish to purchase and coordinate. This leaves a huge gap for researchers, who either do not want to sell their vulnerabilities or discover vulnerabilities not fulfilling the requirements of the existing initiatives, but who would still like an independent third party to confirm their discoveries and handle coordination.
Some of these researchers have in the past turned to Secunia for help on an informal basis and we now want to encourage even more researchers to allow us to help coordinate their vulnerability discoveries by providing this reward incentive.”
The main benefit to independent researchers is that Secunia offers the expertise to assess and validate the vulnerability, and saves them time and effort in coordinating directly with the vendor to fix the vulnerability, thus allowing them to deal with other priorities as well as giving added weight to their findings.
Benefits to vendors include the fact that vulnerability discoveries from the researchers will be confirmed in great detail by Secunia to determine the core problem in the code. As a result, vendors will receive very precise information about the vulnerability, and Secunia will also work with them to find a complete fix, providing feedback and helping them confirm that their new patches are properly addressing the vulnerabilities prior to release. This should mean quicker investigation and thorough fix of the software problem.
In addition, both researchers and vendors will benefit from having a trusted and independent third party such as Secunia to act as an intermediary.
Users will benefit since, as Secunia is able to undertake comprehensive and extensive coordination of vulnerabilities discovered by the researcher, there is likely to be an increase in the number being coordinated with the vendor. This should in turn lead to a greater number of complete solutions to software problems, ultimately leading to more reliable software and therefore more efficient working.
All classes of vulnerability across most products are eligible for the SVCRP program as long as the following criteria are met:
- The vulnerability affects a stable product
- The vulnerability affects the latest version of the product
- The product is actively supported by the vendor
- The vulnerability is not already publicly known
- Secunia Research is able to confirm the reported vulnerability.
No Secunia customers will receive any advance notification about the vulnerabilities coordinated by Secunia, whether they are internal discoveries or vulnerabilities coordinated via this reward incentive. All customers, as well as the community at large, will receive the information simultaneously when the Secunia advisory is published. Researchers will continue to receive any payments to which they are entitled from vendors for coordinating vulnerabilities.
Secunia will confirm the vulnerabilities through testing in their extensive and independent laboratory testing facilities, but will not receive any money or other reward from vendors either for confirming or for coordinating the vulnerability on behalf of the researcher.
The rewards on offer will range from top-of-the range merchandise to two major annual rewards such as free hotel accommodation and entry to an IT security conference chosen from a list of the most popular global security conferences. The latter rewards will be given for the first time in January 2012.
One reward will be given to the researcher who coordinates the most interesting vulnerability in the form of a prize under the Most Interesting Coordination Report category. Criteria will include complexity, impact, level and level of detail. The other will be given to the researcher who has been consistently coordinating correct, clearly detailed vulnerability reports that are quick and easy to confirm. The researcher will be given the title, “Most Valued Contributor’ by Secunia. Other rewards will be continuously given to researchers coordinating their discoveries through Secunia based on their individual performance.
There is no charge or enrolment process for researchers to participate in the program, which forms part of several initiatives from Secunia to benefit the community.