Carsten Eiram discusses SVCRP

By Carsten Eiram

Over the past years, Secunia has steadily received more and more coordination requests from researchers asking Secunia to confirm their vulnerability discoveries and handle coordination. Initially, this was an unofficial service provided to few people in the community, but as more and more researchers contacted Secunia, it grew into a semi-official service provided by Secunia to the community.

Today, Secunia takes this community effort one step further by launching the Secunia Vulnerability Coordination Reward Program (SVCRP).

The fun part of vulnerability research is the actual process of discovering and understanding the vulnerabilities as well as creating PoCs or exploits; and not the sometimes extensive coordination and liaison process that follows with the vendor in order to fix the vulnerabilities. SVCRP offers researchers to confirm their vulnerability discoveries and handle the coordination process, allowing the researchers to focus on the more exciting aspects of vulnerability research and even reward them for it.

Other major vulnerability coordination offerings exist, but most have a business model wrapped around them. SVCRP is a designed to be a complementary service to these. Most other schemes pay researchers for their discoveries, and, while these offerings are excellent for researchers, the companies are, naturally, very selective in which vulnerabilities they wish to purchase and coordinate. This leaves a huge gap for researchers, who either do not want to sell their vulnerabilities or discover vulnerabilities not fulfilling the requirements of the existing initiatives, but who would still like an independent third party to confirm their discoveries and handle coordination.

Some of these researchers have in the past turned to Secunia for help on an informal basis and we now want to encourage even more researchers to allow us to help coordinate their vulnerability discoveries by providing this reward incentive.

Rewards range from various SVCRP merchandise to currently two major, annual rewards: Free hotel accommodation and entry to an IT security conference chosen from a list of the most popular global IT security conferences. These two rewards are given to the researcher who has coordinated the most interesting vulnerability as judged by Secunia Research and the researcher named: "Most Valued Contributor" by Secunia Research.

It's important to stress that no customers receive advance notification about the vulnerabilities coordinated by Secunia – neither internal discoveries nor vulnerabilities coordinated via this reward incentive.

Everyone – customers as well as the community – receives the information at the same time when the Secunia advisory is published.

Tune in later for more information on this new initiative, improvements to the initiative, the awards, and the researchers being awarded. If you want to know more about SVCRP or would like Secunia to confirm and coordinate a vulnerability on your behalf, then please visit our SVCRP page.

Stay Secure,

Carsten Eiram
Chief Security Specialist

Read the official press release here.