15:13 CET, 14th November 2011 By Secunia.
The article ‘So You Want To Be A Zero Day Exploit Millionaire?’ by Mathew J. Schwartz asks the question: “Have you discovered a killer zero-day vulnerability in a widely used product? Can the bug be ‘weaponized,’ or actively exploited?”
Schwartz then discusses the various programs on the market that reward “bug hunters” and debates other ‘options’ such as defence contractors and the black market.
Secunia's independent vulnerability reward program SVCRP is presented as a new alternative for researchers.
“For security researchers with knowledge of a bug that's not worth much, or for researchers who question the ethics of selling any bug information, there are alternatives. Last week, for example, vulnerability information service Secunia launched its Secunia Vulnerability Coordination Reward Program, which formalizes what Secunia says it's been doing informally for some time: It acts as a go-between for security researchers that have discovered a vulnerability in a product, and the vendor of that product.”
Thomas Kristensen, Secunia CSO also provides commentary about the SVCRP and its policy to Schwartz.
To read the article in full, visit InformationWeek here.