Secunia has rolled out the “Secunia Vulnerability Coordination Reward Program” (SVCRP), a new program that aims to benefit both the IT community and end-users by uncovering and helping to resolve previously unreported bugs.
Most other schemes pay researchers for their discoveries (bug bounty programs), and while these offerings are excellent for researchers, the companies are, naturally, very selective in which vulnerabilities they wish to purchase and coordinate. This leaves a huge gap for researchers, who often like an independent third party to confirm their discoveries and handle coordination.
SVCRP is open to any researcher who has discovered a software vulnerability and would like a third party to confirm their findings and handle the coordination. As part of the program, Secunia will offer rewards to researchers who come to them first, and use Secunia to act as a point of contact with the vendor.
The main benefit to researchers is that Secunia will assess and validate the vulnerability, thus allowing them to deal with other priorities as well as giving added weight to their findings.
Related Resource: Vulnerability Management Buyer’s Checklist: Key Questions to Ask
Benefits to vendors include the fact that vulnerability discoveries are confirmed in detail. As a result, vendors will receive very precise information about the vulnerability, and Secunia will work with them to find a fix, provide feedback and help confirm that their new patches are properly addressing the vulnerabilities prior to release.
“The fun part of vulnerability research is the actual process of discovering and understanding the vulnerabilities as well as creating proof of concepts or exploits; and not the sometimes extensive coordination and liaison process that follows with the vendor in order to fix the problem,” explained Carsten Eiram, Chief Security Specialist at Secunia.
“Under the new program we will both confirm vulnerability discoveries and handle the coordination process, allowing researchers to focus on the more exciting aspects of vulnerability research. Other major vulnerability coordination offerings exist but most have a business model wrapped around them. SVCRP is designed to be a complementary service to these.”
The rewards on offer will range from top-of-the line merchandise to two major annual rewards such as free hotel accommodation and entry to an IT security conference chosen from a list of the most popular global security conferences.
Secunia was clear that there is no cash on offer, but researchers will continue to receive any payments to which they are entitled to from various vendors. They also noted that customers will not receive any advance notification about the vulnerabilities.
Security Resource: Vulnerability Management Buyer’s Checklist: Key Questions to Ask
Related Content: Third Party Applications Responsible for 69% of Vulnerabilities on Typical Endpoint
