Secunia offers T-shirts for security vulnerabilities
Scandinavian company Secunia has come up with a new reward programme to motivate security researchers to tell it about newly discovered security vulnerabilities. But whilst Tipping Point's Zero Day Initiative (ZDI) and Verisign's iDefense dip deep into their pockets, offering rewards which can stretch to five-figure sums, the Secunia Vulnerability Coordination Reward Programme is offering "top-of-the-range merchandise" and free entry to and hotel accommodation at a security conference.
Secunia, however, sees itself as complementing, rather than competing with, the likes of ZDI. It will, for example, offer rewards for vulnerabilities which are of no interest to other companies. It will even consider rewarding vulnerabilities which have also received a payout from another reward programme. In contrast to Tipping Point and Verisign, whose reward programmes are aimed at giving their customers an advantage – even if only by providing early signatures for their network alarm systems – Secunia says that it will not provide information submitted to it to its customers ahead of time.
Secunia is offering to analyse information submitted to it as an independent third party and to coordinate communications with vendors until patches have been released. The company already maintains a large database of known security vulnerabilities, on which its various products are based. Its Corporate and Personal Software Inspector products check and monitor whether the software installed on a system contains any known security vulnerabilities. The H's Security Update Check is also based on Secunia's Software Inspector. The motivation behind the new reward programme would appear to be to make collecting the data required for this database easier.