In web application security, the disclosure debate mostly revolves around the legalities of vulnerability “discovery”. This is because security researchers don’t have the same freedom to find vulnerabilities in custom web applications as they do in desktop software. However, if your running a large and popular website (or many of them), you probably know that there’s still a lot of white/gray/black hats are looking for vulnerabilities anyway, but we normally don’t invite them to do so. That’s probably why Microsoft Security Response Center (MSRC), the group responsible for handling issues in their issues, posted a cordial message inviting the sla.ckers.org community to submit vulnerabilities to them first before public disclosure. Wow!
What happened next was interesting. digi7al64 suggested a “reward system” would be nice incentive and gesture since the act of disclosing requires a certain amount of time and effort on behalf of the researcher. There might be something to this. If you consider the roughly 1,000 XSS issues already publicized on sla.ckers.org (including in Google, Yahoo, MySpace, Microsoft and so on), obviously there’s not shortage of issue. I’m going to hazard a guess that most of the people disclosing vulnerabilities probably do not work professionally in the web application security field and do this for fun in their spare time. If the reward was a simply crisp $100 bill, maybe a bug hunter t-shirt, or perhaps an XBox 360 for a particular high severity issue, I bet that’d make their day and everyone would be happy.
Now think about this… if given the option, how many of the organizations that have been outted would have gladly paid a voluntary reward for the disclosure and saved themselves the negative press? Probably a fair number would have participated. Also of course, if they choose not to participate, there’s nothing lost and things remain the same. Though if an organization budgeted say $10,000, which could help to eliminate a ton of XSS and SQL Injection issues. And at some point vulnerabilities would get much hard to find and system security would improve. Obviously a lot of details would have to be worked out to counteract any extortion or blackmail schemes. I’m not quite ready to begin recommending this approach, but I think it’s worth continuing a dialog over.