By Carsten Eiram
Yesterday, I responded to some excellent questions received from a researcher interested in our new SVCRP program. As I'm sure many researchers have similar questions and would be interested in the answers, I got the researcher's permission to publish part of my response on our website as well.
Q: Do I retain credit on the advisory when it is published?
A: Yes, SVCRP is simply a service that offers researchers to confirm and handle coordination of their vulnerability discoveries with a few reward incentives. Once an advisory is published, the researcher receives full credit in both Secunia's advisory (an example is SA44062) and the vendor's advisory if one is published.
Q: Am I allowed post about it AFTER it is made public on my site/blog/mailing lists? Am I allowed release exploit code once it is public? What "terms" am I signing on for?
A: Certainly. You retain all rights to the vulnerability discovery and can publish as many details as you'd like after release of the Secunia advisory. The only "terms" we have is that you do not publish anything until the coordination process is complete and we've published an advisory.
Q: I am specifically researching web application bugs in E-Commerce and Blogging platforms, and auditing them at source level. No mods to them, just off the shelf, most recent supported versions.
A: We accept any vulnerability type in any stable software via SVCRP. The whole idea of SVCRP is to provide assistance to as broad an audience of researchers as possible compared to the selective vulnerability purchase programs available.
Q: What I am hoping is that I report vuln to you, you do the report-to-vendor + release IDS signature (or whatever gain you get), then you tell me when I can disclose it, and I then go posting it on the "usual places". This way you get the bug first, etc, and I get to take credit as the discoverer and add it to my "list of found bugs".
A: That's pretty much how the process goes except from the IDS signature / "our gain" part. As this is a service to the community and the researchers do not sell their findings to us, we do not use any of the provided information in our solutions until the coordination process with the vendor is complete and an advisory is published on our website.
Customers get no advance notification of any kind.
When a researcher reports a vulnerability to us, a handler in the Advisories team will evaluate and confirm the researcher's findings. Once completed, we inform the researcher that we have confirmed the vulnerability and then commence the coordination process with the vendor on behalf of the researcher. Once the vendor has fixed the vulnerability (or the vendor has failed to fulfil the criteria of our disclosure policy), we inform the researcher and release a Secunia advisory crediting the researcher for the discovery and list it as coordinated on the Research page (the next update of this page will highlight researchers' names to bring even more attention to each researcher's coordinated discoveries).
Any researcher having coordinated a vulnerability via SVCRP will have a chance to win one of the two major annual rewards as listed on the SVCRP web page. We will also provide occasional minor rewards to researchers (typically SVCRP merchandise) based on the individual researcher's performance (i.e. quality of reports, number of discoveries coordinated and similar).
Q: For the record: I am currently investigating 49 different vulns in web-apps, all either leading to remote code execution or file inclusion/path traversal. Should I also be looking into XSS and SQLi? Do you accept those also?
A: We accept all types of vulnerability classes so no need to hold yourself back. ;-)
I hope these answers are helpful to other researchers as well. My team and I are looking forward to seeing all of your SVCRP submissions and help you confirm and coordinate your discoveries - and we're especially looking forward to January 2012 where the two major rewards will be awarded for the first time!
Chief Security Specialist