One area of research that has been of particular interest to computer security personnel recently has been discovering new vulnerabilities in software and web sites in return for cash. Many large companies, such as Google and Facebook, have developed bug bounty programs in recent years as a means of crowd sourcing a list of potential exploits. The amount of money on offer in return for the disclosures is variable and may not be sufficient for someone to make a living (if that is their only source of income) but there is certainly a large amount of recognition to be gained within the infosec community.
The trend in recent years has been for more and more companies of varying sizes to start offering their own bug bounty programs but last week saw Secunia buck that trend by announcing the closure of their own offering, the Secunia Vulnerability Coordination Reward Program (SVCRP).
Launched back in November 2011 the SVCRP acted as an intermediary between researchers and vendors and offered rewards as long as the following criteria were met:
- The vulnerability affected a stable product.
- The vulnerability affected the latest version of the product.
- The product in question was actively supported by the vendor.
- The product was not a hosted solution.
- The vulnerability was not already publicly known.
- The vulnerability was not already being coordinated with the vendor.
- Secunia Research was able to confirm the reported vulnerability.
Now, after helping many researchers and companies over the past two years, Secunia have called time on their initiative for business reasons.
Writing on the company blog Kasper Lindgaard, head of research, said, “Our decision to discontinue the program after all, is because Secunia, as a commercial organization, must assess our initiatives continuously.” Lindgaard also went on to say that, “The decision to end the SVCRP is based on the conclusion that the amount of time and effort we put into the program, outweighs the benefits to our own organization. This discrepancy unfortunately means that we cannot warrant the continued investment into maintaining the SVCRP.” The blog post ends by saying that Secunia will process all submissions that they received prior to the 16th of August but will no longer accept new ones.
It looks to me as though Secunia are saying that their coordination of the process is not worth their time in terms of the financial returns and so I wonder how other companies rate the return on investment in relation to offering such a scheme? Does paying bug bounties offer a cost saving in comparison to, say, running your own security assessment? Or does their value lie in the publicity and buzz they help create for the larger organisations that run them? What do you think?