This is a great discussion, one that will surely continue at the Vulnerability Disclosure conference in Stanford next week. Not trying to toot my own horn, but iDEFENSE recognized this path over a year ago and implemented its Vulnerability Contributor Program (VCP) so as to provide a manner in which security researchers could rely on a trusted third-party (iDEFENSE) with solid contacts at all the vendors to transmit their findings. By acting as the middle-man, we offer a few things:

Anonymity: Contributors who are weary of prosecution can hide behind the iDEFENSE veil so as to continue their research without fear of subsequent persecution.

Disclosure process handling: Many times, we've found - in our research - that security researchers just don't want to deal with vendors because of the amount of time it takes to get issues resolved. Sure, you want to do the correct thing, but if you're not getting paid, what's your incentive. Why not just let somebody else deal with it?

Money: The root of all evil, as some would say. If you can motivate people to start coming out with these things to organizations that maintain a responsibility to the vendors, its customers, and the researchers, AND get paid, what reason do you have NOT to submit?

Empowerment: We've all these guys around the world who really don't feel like they're part of the security community. In my time of heading up the VCP, I've learned just how isolated the information security community is, and how many researchers there are in the "rest" of the world that never knew of forums like BugTraq, VCP, etc. (sounds like a joke to us, but look who's reading this).

Thanks for taking the time to put together an article as such, Mark.

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/columns/197/23675#23675