Vulnerability Research Gets A Boost From Emerging Software

Although a few companies are ‘morally flexible’ about their disclosure practices, the work done by the security research community is critical for network protection.

The necessity of this research has translated into the strong and steady growth of the vulnerability research market. While still divided on a few topics, security professionals and software vendors both recognise the importance of responsible vulnerability research, and are working to improve the quality of the software.

New analysis from Frost & Sullivan, World Vulnerability Research Markets Q3-2008, finds that 74 vulnerabilities were disclosed in Q3 of 2008. Although this number decreased compared to that of previous periods, the total number of vulnerabilities has traditionally increased in each quarter, and is expected to keep climbing steadily in the future.

“Software and technology empower users and improve productivity, but also carry the potential to expose users to cyber attacks,” explains Frost & Sullivan research analyst Christopher Rodriguez. “The more people realise the value of vulnerability information, and established researchers become more proficient, the more the market will grow steadily and continue to do so.”

However, many in the security community remain divided on the topic of contribution compensation programmes, further blurring the lines between responsible disclosure and full disclosure. Although many software vendors understand the importance of vulnerability research, a few are still uncooperative.

“While the vulnerability research market is highly dynamic, there remain only a few companies that walk the line ethically,” adds Rodriguez. “This market faces several polarised points of debate and has much more potential for growth than it has shown so far.”

The market can expand significantly with the release of each new application. Automated testing tools such as fuzzers now help researchers to find bugs faster. Additionally, researchers may also be drawn to the financial rewards offered by organisations with ‘bug bounty’ programmes.

These bounty programmes provide few barriers to entry, as demonstrated by the meteoric rise of market entrants. Companies backed by sufficient financial resources could quickly jump to the top of the discloser lists.