We are discontinuing the SVCRP
Effective from August 16, 2013 we are discontinuing the Secunia Vulnerability Coordination Reward Program
We no longer accept any new submissions to SVCRP, but will of course handle and process all submissions received prior to today.
Read the blog post from Secunia’s Head of Research here
If you have any questions or comments, you are very welcome to contact us.
Secunia Vulnerability Coordination Reward Program (SVCRP)
SVCRP (Secunia Vulnerability Coordination Reward Program) is a reward incentive offered by Secunia to researchers, who have discovered a vulnerability and would like a third party to confirm their findings and handle the coordination process with the vendor on their behalf.
All classes of vulnerabilities in most products are applicable for SVCRP as long as the following basic criteria are met:
- The vulnerability affects a stable product.
- The vulnerability affects the latest version of the product.
- The product is actively supported by the vendor.
- The product is not a hosted solution.
- The vulnerability is not already publicly known.
- The vulnerability is not already being coordinated with the vendor.
- Secunia Research is able to confirm the reported vulnerability.
Minor rewards will be continuously awarded to researchers coordinating their discoveries through Secunia based on their individual performance. The two major rewards are currently awarded annually (the first one in January 2012!).
|Most Valued Contributor:
This is a yearly prize awarded to the researcher, who based on Secunia Research's judgement has been consistently coordinating correct, clearly detailed vulnerability reports that have been quick and easy to confirm.
|"The reason I reported 0-day security vulnerabilities to Secunia is because Secunia is well-known in the security community for an immense and comprehensive database of vulnerabilities..." Read the full quote
|Most Interesting Coordination Report:
This is a yearly prize awarded to the researcher, who based on Secunia Research's judgement has been coordinating the most interesting vulnerability (criteria considered are e.g. complexity, impact, affected product, level of detail in provided vulnerability report).
|"Over the last 5 years of discovering vulnerabilities Secunia has always been my number one choice to coordinate my discovered vulnerabilities with them..." Read the full quote
The current list of qualifying conferences are:
- Black Hat
The coordination process will follow the same disclosure policy as followed by the Secunia Research team when coordinating internally discovered vulnerabilities.
If you would like to report a vulnerability to Secunia via SVCRP then please send a vulnerability report prefixed with "[SVCRP]" in the subject to email@example.com. The report should contain details on the affected product/version and PoC or detailed steps to trigger the vulnerability to ensure that Secunia Research can reproduce your findings.
If you prefer to send an encrypted vulnerability report then please find our PGP key here.
Learn more about SVCRP from Carsten Eiram, Chief Security Specialist at Secunia Research here:
"The reason I reported 0-day security vulnerabilities to Secunia is because Secunia is well-known in the security community for an immense and comprehensive database of vulnerabilities. The company does follow a proper disclosure policy for its reporting on and handling of 0-day security vulnerabilities of all kinds. Apart from that, Secunia did help me alot in coordinating the 0-day security issues and follow-up with the vendors while I can make use of my time to focus on other security research." - Sow Ching Shiong, Vulnerability Researcher "Over the last 5 years of discovering vulnerabilities Secunia has always been my number one choice to coordinate my discovered vulnerabilities with them. The Secunia Research team have always been very helpful and kept me well informed in the coordination with the vendor. For an independent security researcher like myself working with Secunia has huge benefits. Firstly Secunia's talented research team can assess and validate the vulnerability right to the core issue of the bug. This technical information helps me to advance my awareness for future vulnerabilities that I may discover. Secondly working with Secunia coordinate with the vendor saves me the time and effort in myself coordinating directly with the vendor. This allows me to deal with other priorities while knowing that it’s in good hands. Allowing Secunia to deal with coordinating vulnerabilities also aids in responsible disclosure as vendors may tend to ignore a lone researcher and not perceive the criticality of the issue.
Carsten Eiram discusses SVCRP
Answers To A Researcher's Questions About SVCRP
Working with Secunia couldn’t be simpler 1. Send your report to them 2. Wait for them to verify usually only a couple of days 3. Secunia to coordinate with the vendor on your behalf 4. Sit back and just wait for an advisory to get published
So even when the vendor does not respond to Secunia after a period of time an advisory will still be published with full credit to the discoverer and you haven’t broken any rules not to mention proper vulnerability details about the bug is reported without any assumptions made by a inexperienced vulnerability researcher." - Parvez Anwar, Vulnerability Researcher