Recently on SecurityFocus (read: Symantec) appeared an article written by Jamie Reid, a privacy, security and risk consultant to healthcare agencies in Toronto.
While reading the article, we could not believe our eyes. In a nutshell, the article is brilliantly demonstrating why the current level of money offered by traditional security vendors to security researchers (yes, somobedy finally used the proper term) for their 0day findings is not representing the real value of them. No need to report here SecurityFocus columnist's ideas backing up such statement, we totally agree with them, especially with the final part which is stating that perhaps, the proper model should be a model including a sort of revenue sharing scheme. Just go and read the article.
But... there is a but. To demonstrate that the traditional security vendors' model is not providing a proper value to the researcher's efforts, the columnist wrote:
"Competitors in the bug-buying space like WabiSabiLabi's auction scheme, and iDefense's VCP offer lower rewards, but provide different structured incentive packages for disclosing 0-day exploits to them."
Initially, we didn't pay much attention to it, but then... questions started to pop up in our mind.
As everybody knows, stating something like "Competitors in the bug-buying space like WabiSabiLabi's auction scheme(...) offer lower rewards" is actually not representing the reality. In fact, WabiSabiLabi doesn't offer ANY sort of reward at all. We just provide a marketplace, where the reward level is the natural result of the interaction of offer and demand. Why the need to say that WSL itself is providing low reward to researchers? It puzzled us.
Then we paid attention to the fact that the columnist is wishing for security researchers a sort of revenue sharing model, deliberately (?) forgetting to mention that WabiSabiLabi announced such scheme since the time of its very foundation. Go and read our almost-one-year-old post.
At that point, we mailed to Jamie Reid, pointing out the fact that we were not providing "low rewards scheme" and that we were already promoting since a year our revenue sharing scheme, hoping that he would have corrected his article.
Guess what? We received a polite mail in which he answered "Thank you. That's an interesting model. I will be interested in following up in a year or so about how it is working". But no amendments on his article.
A distracted columnist? Or perhaps an anticipation of a future Symantec's move toward a different approach in the security research industry?
As you know, we are working hard since one year in the realization of such rewarding scheme, having initially half of the world against us. Our efforts are concretizing in the recently announced partnership for the production of the UTM OneShield Security, which will integrate a revenue sharing model, for those security researchers who are contributing with their findings.
We took all of the risk and heat, we faced the shadiness of the current laws, we took all the insults from that part of the researcher's community which didn't agree with us, we standed strong hits from some lobbied press.
Nevertheless, we are still alive so it might be the right time from the big industry to take advantage of the results of our work?
We'll see. It will be interesting for us, to see how our competitors (who much criticized our model, defining it unethical) will find excuses to adopt it.
Our forecast? Perhaps they will adopt only part of it. They won't adopt the auction part but they will eventually adopt the revenue-sharing scheme.
With a problem: it will be the demonstration that they abused of the work of the security researchers, paying them peanuts, up to the moment somebody popped out of the blue and forced them to adopt new business models, in which security researchers are not anymore considered as freebies or peanuts workers.
Please remember... that somebody, was us.
While reading the article, we could not believe our eyes. In a nutshell, the article is brilliantly demonstrating why the current level of money offered by traditional security vendors to security researchers (yes, somobedy finally used the proper term) for their 0day findings is not representing the real value of them. No need to report here SecurityFocus columnist's ideas backing up such statement, we totally agree with them, especially with the final part which is stating that perhaps, the proper model should be a model including a sort of revenue sharing scheme. Just go and read the article.
But... there is a but. To demonstrate that the traditional security vendors' model is not providing a proper value to the researcher's efforts, the columnist wrote:
"Competitors in the bug-buying space like WabiSabiLabi's auction scheme, and iDefense's VCP offer lower rewards, but provide different structured incentive packages for disclosing 0-day exploits to them."
Initially, we didn't pay much attention to it, but then... questions started to pop up in our mind.
As everybody knows, stating something like "Competitors in the bug-buying space like WabiSabiLabi's auction scheme(...) offer lower rewards" is actually not representing the reality. In fact, WabiSabiLabi doesn't offer ANY sort of reward at all. We just provide a marketplace, where the reward level is the natural result of the interaction of offer and demand. Why the need to say that WSL itself is providing low reward to researchers? It puzzled us.
Then we paid attention to the fact that the columnist is wishing for security researchers a sort of revenue sharing model, deliberately (?) forgetting to mention that WabiSabiLabi announced such scheme since the time of its very foundation. Go and read our almost-one-year-old post.
At that point, we mailed to Jamie Reid, pointing out the fact that we were not providing "low rewards scheme" and that we were already promoting since a year our revenue sharing scheme, hoping that he would have corrected his article.
Guess what? We received a polite mail in which he answered "Thank you. That's an interesting model. I will be interested in following up in a year or so about how it is working". But no amendments on his article.
A distracted columnist? Or perhaps an anticipation of a future Symantec's move toward a different approach in the security research industry?
As you know, we are working hard since one year in the realization of such rewarding scheme, having initially half of the world against us. Our efforts are concretizing in the recently announced partnership for the production of the UTM OneShield Security, which will integrate a revenue sharing model, for those security researchers who are contributing with their findings.
We took all of the risk and heat, we faced the shadiness of the current laws, we took all the insults from that part of the researcher's community which didn't agree with us, we standed strong hits from some lobbied press.
Nevertheless, we are still alive so it might be the right time from the big industry to take advantage of the results of our work?
We'll see. It will be interesting for us, to see how our competitors (who much criticized our model, defining it unethical) will find excuses to adopt it.
Our forecast? Perhaps they will adopt only part of it. They won't adopt the auction part but they will eventually adopt the revenue-sharing scheme.
With a problem: it will be the demonstration that they abused of the work of the security researchers, paying them peanuts, up to the moment somebody popped out of the blue and forced them to adopt new business models, in which security researchers are not anymore considered as freebies or peanuts workers.
Please remember... that somebody, was us.
