A prominent security researcher this week proposed a plan to create a trade association for vulnerability researchers that would act as an advocacy organization as well as protect the legal and economic interests of the members. The plan is still very much in the formative stages and no formal blueprint for the organization exists, but the idea is being kicked around in many parts of the security community.
The idea for the organization came from Thor Larholm, a senior security researcher at PivX Solutions Inc., in Newport Beach, Calif. Larholm is well-known in security circles for his research, particularly on Internet Explorer. He began discussing the plan with other researchers in June and has since spoken with a number of vendor executives about it as well.
On Monday, Larholm posted a message to the BugTraq mailing list detailing some his thoughts about the organization. He says support for the idea of having an organization to unite researchers has been virtually unanimous among the people hes spoken with.
“For the past month one thing has been clear to me: that the security researchers organization is not a question of whether it will happen, but when, in what form and with which people backing it. Finding the right mix of people that are willing to dedicate their skills and time is all that remains,” Larholm said. “The response to my posting has so far been more than positive with a lot of disparate individuals volunteering to help and I have high hopes that this is going to become established in the months to come.”
Larholms basic plan is to establish an organization made up of professional and amateur vulnerability researchers. The body would help members establish lines of communication with vendors, perform third-party review of research and advisories prior to publication, act as a lobbyist in Washington and generally look out for the interests of the researchers.
There are still a number of details to work out, including the makeup of the membership. The ranks of vulnerability researchers can be divided into two main groups: professional researchers, such as Larholm and the staff researchers at companies like @stake Inc. and eEye Digital Security Inc.; and independent folks who conduct research on their own. But there are also a number of crackers who look for vulnerabilities with the intent of exploiting them for some malicious purpose.
Whether, and how, to keep the crackers out of the organization will be one challenge. Another will be getting such a large and diverse group of people—many of whom have very strong opinions—to agree on issues such as responsible disclosure.
There is also the question of how software vendors will respond to dealing with such a group. But, Larholm believes that all of these are problems that can be overcome.
“Establishing an organization that represents security researchers is not just for the good of the researchers themselves, it is for the good of the community and industry as a whole,” he wrote in his BugTraq posting. “The vendors would most definitely benefit from an organization such as this, suddenly being able to approach and debate with a single organization representing thousands of individual researchers as opposed to the status quo of debating guidelines with thousands of disparate individuals—the latter essentially being a moot point.”
Discuss This in the eWEEK Forum