vendor-researcher relationship

No more free bugs for software vendors (Fisher paper)

2009/03/23 : Dennis Fisher highlights the end of free vulnerability disclosure.

"It appears that the free ride is over for software vendors."Read more

Announcing Coordinated Vulnerability Disclosure (Microsoft)

2010/07/22 : "Today on the MSRC [Microsoft Security Response Center] blog, Matt Thomlinson, General Manager of Trustworthy Computing Security, announced our new philosophy on Coordinated Vulnerability Disclosure."

This artifact is part of the ...Read more

Coordinated Vulnerability Disclosure: Bringing Balance to the Force (Microsoft)

2010/07/22 : "Today on the MSRC [Microsoft Security Response Center] blog, Matt Thomlinson, General Manager of Trustworthy Computing Security, announced our new philosophy on Coordinated...Read more

Google Project Zero

2015/02/13 : "Project Zero has adhered to a 90-day disclosure deadline. Now we are applying this approach for the rest of Google as well. We notify vendors of vulnerabilities immediately, with details shared in public with the defensive community after 90 days, or sooner if the vendor releases a...Read more

Microsoft Vulnerability Disclosure

Announcing Coordinated Vulnerability Disclosure (Microsoft)
Coordinated Vulnerability Disclosure at Microsoft
Coordinated Vulnerability Disclosure: Bringing Balance to the Force (Microsoft)
Coordinated Vulnerability Disclosure: From Philosophy to Practice (Microsoft)
Coordinated Vulnerability Disclosure Reloaded (Microsoft)
Microsoft Vulnerability Research Advisories
Microsoft Says No to Paying Bug Bounties (Fisher paper)
Heart of Blue Gold – Announcing New Bounty Programs (Microsoft)
Filling A Gap In the Vulnerability Market – First Bounty Notification (Microsoft)

Google Vulnerability Report

Google Security Reward - 2015 Year in Review
Google to Pay For Bugs Found in Chromium (Threat post)
Google Ups the Bug Bounty Ante to $3133.7 (Threat post)
Google Open Source Vulnerabilities (OSV)
The realities of Disclosure : Morgenstern and Parker on Christey and Wysopal failure

2002/07/12 : Michael Morgenstern and Tom Parker point to the failure of Christey and Wysopal's willingness to put in place common measures for responsible disclosure.

"Unfortunately, Steve Christey and Chris Wysopol's RFC of February...Read more

Schneier - Crypto-Gram February 15, 2000

2000/02/15 : Schneier published his monthly newsletter.

He reflects on the vulnerability debate. 

"My position has changed over time. I'd like to revisit it.
There are really two issues here, intertwined. If someone...Read more

Emerging Economic Models for Vulnerability Research (Nagle and Sutton paper)

2006 : "The purpose of this paper is to look at economic vulnerability models that exist in the market today and analyze how they affect vendors, end users and vulnerability researchers." (Nagle and Sutton, p.2)Read more

OIS

Security and IT Industry Leaders Form Organization for Internet Safety - Creation of OIS
Toward the development of industry standards for security vulnerability handling - OIS objectives
Guidelines for Security Vulnerability Reporting and Response (Version 2.0) - OIS
Google 7-days disclosure

2013/05/29 : Google agreed for 7-days to fix critical vulnerabilities. 

"Based on our experience, however, we believe that more urgent action -- within 7 days -- is appropriate for critical vulnerabilities under active exploitation. The reason for this special designation is that...Read more

Google to Pay For Bugs Found in Chromium (Threat post)

2010/01/29 : Dennis Fisher writes on the Google new program. It "will pay security researchers a $500 bounty for every security bug they find in Chromium, the open-source codebase behind the Google Chrome browser, as well as for bugs found in Chrome itself."

This...Read more

Subscribe to vendor-researcher relationship
Need help with PECE?
Join the PECE Slack channel