How a security researcher discloses a vulnerability is often as important as the discovery of the vulnerability itself. To further that end, security services vendor Secunia, which has been providing security advisories to the market for nearly a decade, is now expanding their efforts with the The Secunia Vulnerability Coordination Reward Program (SVCRP). The SVCRP will take in vulnerabilities from third party security researchers, help verify the research and then coordinate with software vendors.
Carsten Eiram, chief security specialist at Secunia told InternetNews.com that Secunia has working relationship with many software vendors that often enable them to get better results than independent researchers can get on their own.
"Often we can get a vendor to fix things a bit quicker," Eiran said. "Also, many of the researchers really want to focus on finding the vulnerabilities and not the whole coordination process with vendors afterwards."
The way the SVCRP works is they first independently confirm the finding of the third party research. Then Secunia approaches the software vendor in question to begin the disclosure process. Eiran noted that the vendor usually gets back to them and then Secunia will follow up with the vendor over time on status.
Eiran stressed that no money is changing hands between Secunia and the vendors or the security researchers. He noted that the SVCRP is not a vulnerability purchase plan like HP TippingPoint's Zero Day Initiative (ZDI) that pays researchers for their discoveries. While there is no cash involved that doesn't mean there isn't a reward. Rewards include what Secunia describes as "top-of-the range merchandise."
"We want to reward the researchers for coordinating their disclosure and we don't want to pay them for their discoveries," Eiran said.
ZDI, Google and Mozilla all pay security researchers for their disclosures. This is not the route that Secunia wants to take for a number of reasons. Eiran explained that with ZDI, because they are paying for the information, the disclosure has to have value to ZDI. "That's why they are selective on what they buy," Eiran said.
In contrast, the Secunia model isn't linked to the same financial incentive and as such has the potential to accept research that ZDI would not. Eiran sees the Secunia program is complementary and not competitive to ZDI. "Any type of vulnerability class, we will accept. We don't really look at the vulnerability type, we look to see if the product is stable and if it's a vulnerability that is not already known."
In terms of how Secunia actually verifies whether or not a submitted item is actually a real security vulnerability, Eiran said that's up to a human. "Our primary tool is the brain, our skillset and knowledge. We also use tools like IDAPro and we use debuggers, but overall we're not very tool based, we're skill based."