vendor-researcher relationship

Google Security Reward - 2015 Year in Review

2010/01 : Google launches its Vulnerability Report Program which gives financial bounties to security researcher finding bugs. 

"[B]ecause rewarding security researchers for their hard work benefits everyone. These financial rewards help make our services, and the web as a whole,...Read more

OIS

Security and IT Industry Leaders Form Organization for Internet Safety - Creation of OIS
Toward the development of industry standards for security vulnerability handling - OIS objectives
Guidelines for Security Vulnerability Reporting and Response (Version 2.0) - OIS
Coordinated Vulnerability Disclosure: Bringing Balance to the Force (Microsoft)

2010/07/22 : "Today on the MSRC [Microsoft Security Response Center] blog, Matt Thomlinson, General Manager of Trustworthy Computing Security, announced our new philosophy on Coordinated...Read more

Google Vulnerability Report

Google Security Reward - 2015 Year in Review
Google to Pay For Bugs Found in Chromium (Threat post)
Google Ups the Bug Bounty Ante to $3133.7 (Threat post)
Google Open Source Vulnerabilities (OSV)
Google 7-days disclosure

2013/05/29 : Google agreed for 7-days to fix critical vulnerabilities. 

"Based on our experience, however, we believe that more urgent action -- within 7 days -- is appropriate for critical vulnerabilities under active exploitation. The reason for this special designation is that...Read more

Threat Complexity Requires New Levels of Collaboration - Stone and Moussouris on the creation of MSVR

2008/08 : Microsoft create the Microsoft Vulnerability Research Program (MSVR).Read more

THE PRICE OF RESTRICTING VULNERABILITY PUBLICATIONS (Granick Article)

2005 : "Part One of this paper explains the current state of computer (in)security and sets forth three ways to restrict publications followed by the most common arguments for and against. It then illustrates the popularity of security publication restrictions with an ...Read more

Fortinet slams Rapid7 for disclosing vulnerability before end of their 90-day window

2021/08/12 : "A dispute broke out on Tuesday after cybersecurity company Rapid7 released a report about a vulnerability in a Fortinet product before the company had time to release a patch addressing the issue."Read more

Coordinated Vulnerability Disclosure Reloaded (Microsoft)

2011/04/19 : Microsoft reloaded its Coordinate Vulnerability Disclosure.

This artifact is part of the Microsoft Vulnerability Disclosure Bundle.Read more

Coordinated Vulnerability Disclosure at Microsoft

2011/04 : "This [Microsoft] document aims to clarify how Microsoft communicates the disclosure of vulnerabilities with industry peers, customers, and the research community in a coordinated way. Lastly, this documentexplains how to engage with Microsoft in coordinated...Read more

Schneier - Crypto-Gram March 15, 2002

2002/03/15 : Schneier published his monthly newsletter.
Schneier gives this time a summary of the vulnerabilitiy disclosure actual issues.

"The history of the vulnerability's discovery and publication is an interesting story, and illustrates the...Read more

No more free bugs for software vendors (Fisher paper)

2009/03/23 : Dennis Fisher highlights the end of free vulnerability disclosure.

"It appears that the free ride is over for software vendors."Read more

Subscribe to vendor-researcher relationship
Need help with PECE?
Join the PECE Slack channel