Hvis du opdager en kritisk sårbarhed i et stykke software, som ikke tidligere har været kendt, forventes du at fortælle firmaet bag softwaren om det - med mindre du da hellere vil sælge hullet til it-kriminelle og selv blive kriminel.
Men processen med at få fat store firmaer som Adobe eller Oracle og fortælle om en sårbarhed kan være besværlig nok i sig selv, oplever det danske sikkerhedsfirma Secunia, som derfor nu lancerer en ordning, hvor Secunia bliver mellemmand og overtager hele afrapporteringen.
Ordningen har fået navnet Secunia Vulnerability Coordination Reward Programme, skriver firmaet i en pressemeddelelse.
»Det sjove ved at finde sårbarheder er processen, hvor du finder og forstår sårbarhederne samt laver proof of concepts og exploits, ikke den nogen gange omfattende koordinations- og samarbejdsproces, der følger sammen med softwareproducenten for at løse problemet,« udtaler Carsten Eiram, sikkerhedsspecialist hos Secunia, i pressemeddelelsen.
Flere og flere store softwareproducenter er begyndt at betale findeløn for en sårbarhed, hvis den er kritisk. Udløser en sårbarhed, som Secunia har fået indleveret under det nye program, en dusør fra for eksempel Google, vil Secunia sende pengene videre til den person, der opdagede hullet.
Derudover vil Secunia bidrage med en række præmier til nogle af dem, der bidrager med sårbarheder. Det kan være billetter til it-sikkerhedskonferencer eller merchandise, skriver Secunia, som også vil kåre to til 'årets bidragsydere.'
Alle kan bidrage med sårbarheder inden for al slags software, så længe hullet er fundet i seneste version af et produkt, som stadig er understøttet af leverandøren og som ikke er en beta-version.
Secunia vil så selv tjekke sårbarheden efter, før information om den bliver sendt videre til den ramte software-leverandør.
Det danske firma har siden starten i 2002 specialiseret sig i softwaresårbarheder og udvikler software, som tjekker, om der mangler opdateringer til den software, man har installeret.
Secunia Launches Independent Vulnerability Reward Programme
Researchers to be rewarded for finding all vulnerabilities across all platforms
Vulnerability researchers are being invited by Secunia, the leading provider of vulnerability intelligence and vulnerability management tools, to participate in a new programme launched today under which Secunia, independently of any software vendor, will confirm vulnerability discoveries and handle coordination on the researchers’ behalf.
The programme, entitled The Secunia Vulnerability Coordination Reward Programme (SVCRP) is open to any researcher who has discovered vulnerability in any software and would like a third party to confirm their findings and handle the co-ordination process with the software vendor on their behalf. As part of the programme, Secunia will offer rewards to researchers who contact them with vulnerabilities they have found. This comprehensive programme is designed to be complementary to those run by other organisations and will cover all vulnerabilities as long as they meet Secunia’s criteria.
Carsten Eiram, Chief Security Specialist at Secunia, explains, "The fun part of vulnerability research is the actual process of discovering and understanding the vulnerabilities as well as creating proof of concepts or exploits; and not the sometimes extensive coordination and liaison process that follows with the vendor in order to fix the problem. Under the new programme we will both confirm vulnerability discoveries and handle the coordination process, allowing researchers to focus on the more exciting aspects of vulnerability research. In addition, under our new programme we will reward them for coordinating the vulnerabilities."
He continued, "Other major vulnerability coordination offerings exist but most have a business model wrapped around them. SVCRP is a designed to be a complementary service to these. Most other schemes pay researchers for their discoveries, and, while these offerings are excellent for researchers, the companies are, naturally, very selective in which vulnerabilities they wish to purchase and coordinate. This leaves a huge gap for researchers, who either do not want to sell their vulnerabilities or discover vulnerabilities not fulfilling the requirements of the existing initiatives, but who would still like an independent third party to confirm their discoveries and handle coordination.
Some of these researchers have in the past turned to Secunia for help on an informal basis and we now want to encourage even more researchers to allow us to help coordinate their vulnerability discoveries by providing this reward incentive."
Vulnerability researchers and vendors alike have welcomed the initiative. The main benefit to independent researchers is that Secunia offers the expertise to assess and validate the vulnerability, and saves them time and effort in coordinating directly with the vendor to fix the vulnerability, thus allowing them to deal with other priorities as well as giving added weight to their findings. Vendors are positive about the initiative as Secunia is widely regarded as a trusted and independent source of vulnerability information. Benefits to individuals and organisations will include more frequent and more comprehensive reporting of vulnerabilities which means that these can be addressed.
All classes of vulnerability across most products are eligible for the SVCRP programme as long as the following criteria are met:
The vulnerability affects a stable product
The vulnerability affects the latest version of the product
The product is actively supported by the vendor
The vulnerability is not already publicly known
Secunia Research is able to confirm the reported vulnerability.
No Secunia customers will receive any advance notification about the vulnerabilities coordinated by Secunia, whether they are internal discoveries or vulnerabilities coordinated via this reward incentive. Researchers will continue to receive any payments they are due from vendors for coordinating vulnerabilities; Secunia will not receive any money or other reward from vendors for coordinating the vulnerability on behalf of the researcher. Secunia will confirm the vulnerabilities via testing in their extensive and independent laboratory testing facilities.
The rewards on offer will range from top-of-the range merchandise to two major annual rewards such as free hotel accommodation and entry to an IT security conference chosen from a list of the most popular global security conferences. The latter rewards will be given for the first time in January 2012. One reward will be given to the researcher who co-ordinates the most interesting vulnerability as judged by Secunia in the form of a prize under the Most Interesting Coordination Report category. Criteria will include complexity, impact, level and level of detail. The other will be given to the researcher who has been consistently coordinating correct, clearly detailed vulnerability reports that are quick and easy to confirm as judged by Secunia. The researcher will be given the title, ‘Most Valued Contributor’ by Secunia. Other rewards will be continuously given to researchers coordinating their discoveries through Secunia based on their individual performance.
There is no charge or enrolment process for researchers to participate in the programme, which forms part of several initiatives from Secunia to benefit the community.