Another day, another vulnerability reporting reward program. Kinda.
Secunia, a vulnerability management vendor from Denmark, is the latest to join the bounty brigade, but it is bringing its spin to the market. Secunia’s new Secunia Vulnerability Coordination Reward Program is another platform for researchers to report software security flaws, but Secunia goes a step further and offers to handle the reporting process to the affected vendor. Software vendors have varied and sundry reporting processes and Secunia hopes to help researchers skip the hassle, according to Carsten Eiram, chief security specialist at Secunia.
“Most other schemes pay researchers for their discoveries, and, while these offerings are excellent for researchers, the companies are, naturally, very selective in which vulnerabilities they wish to purchase and coordinate,” he wrote in a release from the company. “This leaves a huge gap for researchers, who either do not want to sell their vulnerabilities or discover vulnerabilities not fulfilling the requirements of the existing initiatives, but who would still like an independent third party to confirm their discoveries and handle coordination.”
TippingPoint’s Zero Day Initiative (ZDI) and VeriSign’s iDefense Labs Vulnerability Contributor Program are probably the most well known bug-bounty programs offered by security companies., Google, Microsoft and Mozilla also have their own twists on bug bounties. ZDI, for example, pays researchers for previously unpatched bugs and then develops signatures for its intrusion prevention products to give its customers first crack at protection. It also works with the affected vendor, and once a patch is ready, a joint advisory on the vulnerability is prepared.
Secunia says it will provide detailed information on vulnerabilities to the affected vendors and will participate in the patch process by providing feedback on fixes and confirming patches resolve the issue in question. Secunia hopes to establish itself as a trusted, independent third party in the vulnerability remediation process. In addition, the company says it will not notify its customers in advance as ZDI would. Instead, a public advisory would be the first notification of a vulnerability.
Secunia has established certain conditions for vulnerabiilties to be considered: the vulnerability must not be already publicly known; it must have been found in a stable product, inthe latest version that is actively supported by the vendor. Secunia’s research team must also be able to confirm the vulnerability.
Secunia said its rewards will include merchandise and accommodations and entry into major security conferences.