Secunia to Coordinate Vulnerability Disclosure

My hat is off once again, to Secunia, for “Doing The Right Thing”.  They seem to do this repeatedly and often.  I hope that someday they open a Canadian office and are looking for a local Director level candidate to help them build their business [End Shameless Plug].

Secunia is a Danish vulnerability management company, offering FREE for home use products such as Online Software Inspector (OSI) and Personal Software Inspector (PSI).  It is this kind of commitment and attention to the home user, the real weakpoints in the security chain that have absolutely no budget available, or interest in security spending at all, that continues to add value to Secunia for me.  They are now aiming to make the task of reporting software vulnerabilities easier for researchers as they are discovered.  Secunia will vet vulnerabilities and coordinate disclosure with vendors on the researchers’ behalf through the Secunia Vulnerability Coordination Reward Program (SVCRP).

SVCRP is not the only offering out there, other vendor offerings, like TippingPoint’s Zero Day Initiative or Verisign’s iDefense Labs Vulnerability Contributor Program, allow researchers to avoid the hassles of multiple vendor contacts and managing different bug reporting policies.  Most reporting coordination schemes will pay researchers for their discoveries, and are naturally selective about the vulnerabilities they purchase and present to vendors.  If they are not impactful enough, or lack a direct correlation with data loss or code execution, they are less interesting and valuable to the scheme, but not necessarily to the attacker.

Secunia will be accepting all vulnerabilities, regardless of their classification, as long as they are in off-the-shelf products.  Flaws discovered in online services would not qualify.

Secunia will not profit directly from SVCRP, and doesn’t plan to provide advance notification about reported flaws to its customers.  Researchers will continue to receive payments from vendors for their work using SVCRP for coordination.  Vendors still have the final word though, on whether or not they will pay out rewards for any specific vulnerability. 

Unlike other programs, SVCRP won’t require researchers to provide working exploits for reported vulnerabilities, but will appreciate submission of as much supporting information as possible.  Secunia’s own team of experts will investigate and confirm reports before sharing them with vendors.  Researchers will get independent validation, and affected companies will receive consistent, reliable reports.

Secunia will reward the program’s most valuable contributors each year by inviting them to a primo annual security conference.  Secunia, I am once again and continuously impressed.  I hope someone there is reading this blog.  Hmmm, I wonder if this was where the idea came from…  8)