(LiveHacking.Com) – The Danish security management company Secunia has launched a vulnerability reward scheme that acts independently from software vendors. As part of the program Secunia will confirm vulnerability discoveries and handle coordination with the software companies on a security researchers’ behalf.
Under the Secunia Vulnerability Coordination Reward Program (SVCRP) the company will offer rewards to researchers in the form of top-of-the range merchandise and two major annual rewards which include free hotel accommodation and entry to an IT security conference. One of the hotel/conference rewards will go to the researcher who submits the most interesting vulnerability, the other will go to the researcher who has been consistently coordinating correct, clearly detailed vulnerability reports that are quick and easy to confirm as judged by Secunia.
“The fun part of vulnerability research is the actual process of discovering and understanding the vulnerabilities as well as creating proof of concepts or exploits; and not the sometimes extensive coordination and liaison process that follows with the vendor in order to fix the problem,” said Carsten Eiram, Chief Security Specialist at Secunia. “Under the new program we will both confirm vulnerability discoveries and handle the coordination process, allowing researchers to focus on the more exciting aspects of vulnerability research.”
Secunia are trying to distinguish themselves from other vulnerability reward schemes in that while other schemes pay researchers for their discoveries, the companies are very selective about which vulnerabilities they reward and coordinate. The SVCRP fills the gap for researchers who can’t or don’t want to participate in the other schemes but who would still like an independent third party to confirm their discoveries and handle coordination.
Secunia is willing to look at all types of vulnerabilities but they must meet the following basic criteria:
- The vulnerability affects a stable product.
- The vulnerability affects the latest version of the product.
- The product is actively supported by the vendor.
- The vulnerability is not already publicly known.
- Secunia Research is able to confirm the reported vulnerability.