Secunia CSI7
Advisories
Research
Forums
Create Profile
Our Commitment
About the Team
Disclosure Policy
SVCRP

We are discontinuing the SVCRP

Effective from August 16, 2013 we are discontinuing the Secunia Vulnerability Coordination Reward Program

We no longer accept any new submissions to SVCRP, but will of course handle and process all submissions received prior to today.

Read the blog post from Secuniaís Head of Research here

If you have any questions or comments, you are very welcome to contact us.

-

Secunia Vulnerability Coordination Reward Program (SVCRP)

SVCRP (Secunia Vulnerability Coordination Reward Program) is a reward incentive offered by Secunia to researchers, who have discovered a vulnerability and would like a third party to confirm their findings and handle the coordination process with the vendor on their behalf.

All classes of vulnerabilities in most products are applicable for SVCRP as long as the following basic criteria are met:

  • The vulnerability affects a stable product.
  • The vulnerability affects the latest version of the product.
  • The product is actively supported by the vendor.
  • The product is not a hosted solution.
  • The vulnerability is not already publicly known.
  • The vulnerability is not already being coordinated with the vendor.
  • Secunia Research is able to confirm the reported vulnerability.

Minor rewards will be continuously awarded to researchers coordinating their discoveries through Secunia based on their individual performance. The two major rewards are currently awarded annually (the first one in January 2012!).

Most Valued Contributor:
This is a yearly prize awarded to the researcher, who based on Secunia Research's judgement has been consistently coordinating correct, clearly detailed vulnerability reports that have been quick and easy to confirm.
"The reason I reported 0-day security vulnerabilities to Secunia is because Secunia is well-known in the security community for an immense and comprehensive database of vulnerabilities..."

Read the full quote


Most Interesting Coordination Report:
This is a yearly prize awarded to the researcher, who based on Secunia Research's judgement has been coordinating the most interesting vulnerability (criteria considered are e.g. complexity, impact, affected product, level of detail in provided vulnerability report).
"Over the last 5 years of discovering vulnerabilities Secunia has always been my number one choice to coordinate my discovered vulnerabilities with them..."

Read the full quote


The current list of qualifying conferences are:

  • Black Hat
  • Defcon
  • CanSecWest
  • RECON

The coordination process will follow the same disclosure policy as followed by the Secunia Research team when coordinating internally discovered vulnerabilities.

If you would like to report a vulnerability to Secunia via SVCRP then please send a vulnerability report prefixed with "[SVCRP]" in the subject to vuln@secunia.com. The report should contain details on the affected product/version and PoC or detailed steps to trigger the vulnerability to ensure that Secunia Research can reproduce your findings.

If you prefer to send an encrypted vulnerability report then please find our PGP key here.

Learn more about SVCRP from Carsten Eiram, Chief Security Specialist at Secunia Research here:
Carsten Eiram discusses SVCRP
Answers To A Researcher's Questions About SVCRP






"The reason I reported 0-day security vulnerabilities to Secunia is because Secunia is well-known in the security community for an immense and comprehensive database of vulnerabilities. The company does follow a proper disclosure policy for its reporting on and handling of 0-day security vulnerabilities of all kinds. Apart from that, Secunia did help me alot in coordinating the 0-day security issues and follow-up with the vendors while I can make use of my time to focus on other security research."

- Sow Ching Shiong, Vulnerability Researcher


"Over the last 5 years of discovering vulnerabilities Secunia has always been my number one choice to coordinate my discovered vulnerabilities with them. The Secunia Research team have always been very helpful and kept me well informed in the coordination with the vendor. For an independent security researcher like myself working with Secunia has huge benefits. Firstly Secunia's talented research team can assess and validate the vulnerability right to the core issue of the bug. This technical information helps me to advance my awareness for future vulnerabilities that I may discover. Secondly working with Secunia coordinate with the vendor saves me the time and effort in myself coordinating directly with the vendor. This allows me to deal with other priorities while knowing that itís in good hands. Allowing Secunia to deal with coordinating vulnerabilities also aids in responsible disclosure as vendors may tend to ignore a lone researcher and not perceive the criticality of the issue.

Working with Secunia couldnít be simpler 1. Send your report to them 2. Wait for them to verify usually only a couple of days 3. Secunia to coordinate with the vendor on your behalf 4. Sit back and just wait for an advisory to get published

So even when the vendor does not respond to Secunia after a period of time an advisory will still be published with full credit to the discoverer and you havenít broken any rules not to mention proper vulnerability details about the bug is reported without any assumptions made by a inexperienced vulnerability researcher."


- Parvez Anwar, Vulnerability Researcher




 Products Solutions Customers Partner Resources Company
 
 Corporate
Vulnerability Intelligence Manager (VIM)
Corporate Software Inspector (CSI)
Consumer
Personal Software Inspector (PSI)
Online Software Inspector (OSI)
 Industry
Compliance
Technology
Integration
 Customers
Testimonials
 VARS
MSSP
Technology Partners
References
 Reports
Webinars
Events
 About us
Careers
Memberships
Newsroom


 
© 2002-2014 Secunia ApS - Rued Langgaards Vej 8, 4th floor, DK-2300 Copenhagen, Denmark - +45 7020 5144
Terms & Conditions and Copyright - Privacy - Report Vulnerability