Organization for Vulnerability Researchers Proposed

Group would act as an advocacy organization and protect the legal and economic interests of its members.

The number of active security researchers has grown by leaps and bounds in recent years, and for many of them, research is not just a hobby but a profession.

To help legitimize this calling and impose a bit of structure in what can be a chaotic industry, a prominent researcher has proposed a kind of trade association for vulnerability researchers that would act as an advocacy organization and protect the legal and economic interests of its members. The plan is still in the formative stages. No formal blueprint for the organization exists, but the idea is being kicked around in many parts of the security community.

The idea for the organization came from Thor Larholm, a senior security researcher at Pivx Solutions Inc., in Newport Beach, Calif. Larholm is well-known in security circles for his research, particularly on Microsoft Corp.s Internet Explorer. He began discussing the plan with other researchers in June and has since spoken with a number of vendor executives about it.

Recently, Larholm posted a message to the BugTraq mailing list detailing some of his thoughts about the organization. He said support for the idea of having an organization to unite researchers has been virtually unanimous among the people with whom hes spoken.

"For the past month, one thing has been clear to me: The security researchers organization is not a question of whether it will happen, but when, in what form and with which people backing it. Finding the right mix of people that are willing to dedicate their skills and time is all that remains," Larholm said. "The response to my posting has so far been more than positive, with a lot of disparate individuals volunteering to help, and I have high hopes that this is going to become established in the months to come."

Larholms basic plan is to establish an organization comprising professional and amateur vulnerability researchers. The body would help members establish lines of communication with vendors, perform third-party reviews of research and advisories prior to publication, act as a lobbyist in Washington and generally look out for the interests of the researchers.

The idea of a researchers organization is not entirely new. In fact, some of the elements Larholm proposes have been tried in various forums in recent years. But many of the other groups have had different aims and often have floundered for one reason or another. Sardonix Security Portal is one such effort and focused on independent contributors helping to audit source code for security problems.

"A subtle distinction may be the root cause here: Sardonix seeks to change the research model from find a bug, win a prize! to audit software, report what you find, and win a reputation for the long term," Crispin Cowan, chief scientist at Immunix Inc., in Portland, Ore., wrote in response to Larholms proposal. "Having a pile of audited software is much more useful to admins than an endless stream of Gotcha again! advisories. But from the lack of response from security investigators, I conjecture that find a bug, win a prize! is more fun to do, and so thats what investigators choose to do."

There are still a number of details to work out, including the makeup of the membership. The ranks of vulnerability researchers can be divided into two main groups: professional researchers, such as Larholm and the staff researchers at companies such as @Stake Inc. and eEye Digital Security Inc., and independent folks who conduct research on their own. But there is also a number of crackers who look for vulnerabilities with the intent of exploiting them for some malicious purpose.

Whether, and how, to keep the crackers out of the organization will be one challenge.

There is also the question of how software vendors will respond to dealing with such a group. Larholm said he believes that all of these are problems that can be overcome.

Discuss This in the eWEEK Forum