Secunia joins the bounty-for-bugs bandwagon

According to the Scandinavian firm, researchers are being invited “to participate in a new programme launched today under which Secunia, independently of any software vendor, will confirm vulnerability discoveries and handle coordination with the vendor on the researchers’ behalf.”

The programme – known as the Secunia Vulnerability Coordination Reward Programme (SVCRP) – builds on the fact that researchers have, in the past turned, to Secunia for help on an informal basis and will, says Carsten Eiram, the firm's chief security specialist, allow the firm to encourage even more researchers to allow Secunia “to help coordinate their vulnerability discoveries by providing this reward incentive."

"The fun part of vulnerability research is the actual process of discovering and understanding the vulnerabilities as well as creating proof of concepts or exploits; and not the sometimes extensive coordination and liaison process that follows with the vendor in order to fix the problem. Under the new programme we will both confirm vulnerability discoveries and handle the coordination process, allowing researchers to focus on the more exciting aspects of vulnerability research", he explained.

According to Eiram, there are other vulnerability coordination offerings, but most have a business model wrapped around them. SVCRP is designed to be a complementary service to these.

“ Most other schemes pay researchers for their discoveries, and, while these offerings are excellent for researchers, the companies are, naturally, very selective in which vulnerabilities they wish to purchase and coordinate. This leaves a huge gap for researchers, who either do not want to sell their vulnerabilities or discover vulnerabilities not fulfilling the requirements of the existing initiatives, but who would still like an independent third party to confirm their discoveries and handle coordination”, he said.

The main benefit to independent researchers, he went on to say, is that Secunia offers the expertise to assess and validate the vulnerability, and saves them time and effort in coordinating directly with the vendor to fix the vulnerability, thus allowing them to deal with other priorities as well as giving added weight to their findings.

Benefits to vendors, meanwhile, says Secunia, include the fact that vulnerability discoveries from the researchers will be confirmed in great detail by the research firm to determine the core problem in the code.

As a result, Secunia claims, vendors will receive very precise information about the vulnerability, and the research firm will work with them to find a complete fix, providing feedback and helping them confirm that their new patches are properly addressing the vulnerabilities prior to release.

This should, in turn, mean quicker investigation and thorough fix of the software problem. In addition, both researchers and vendors will benefit from having a trusted and independent third party such as Secunia to act as an intermediary.

Users will benefit since, as Secunia says it is able to undertake comprehensive and extensive coordination of vulnerabilities discovered by the researcher, there is likely to be an increase in the number being coordinated with the vendor. This should in turn lead to a greater number of complete solutions to software problems, ultimately leading to more reliable software and therefore more efficient working.

Rewards on offer under the programme will range from top-of-the range merchandise to two major annual rewards such as free hotel accommodation and entry to an IT security conference chosen from a list of the most popular global security conferences.

What’s hot on Infosecurity Magazine?