24 July 2014

“Where is Synack’s Hall of Fame page?”

Mark Kuhr

The original purpose of providing credit for private vulnerability disclosure was for the software vendor to thank the security researcher for unpaid research work on a severe or critical advisory class flaw. This credit was documented in the vendor’s public Security Advisory, published to educate customers of the need to take action to update their software to protect themselves from exploitation.  This practice of providing proper credit was documented in June 2000 in what was arguably the first “responsible disclosure” policy, known as RFPolicy.

As technology evolved from being primarily client/server based to more online services focused, the practice of crediting researchers also evolved.  Online services are updated by the service provider with no customer action required, so there is no Security Advisory in which to credit the researcher.  Vendors began providing acknowledgement for advisory class vulnerabilities in a cumulative webpage on their corporate website in lieu of individual Security Advisories.  Today this “Hall of Fame” researcher acknowledgement has become a standard practice with software vendors and third party vulnerability reward programs.

Since the start of this practice, however, we believe the standards for awarding “Hall of Fame” credit have in many cases diminished, and it is not uncommon to see credit being given for trivial, low, and moderate risk issues.  While this costs the vendor very little and keeps the individual reporting the non-advisory class issue happy, it also dilutes the prestige of any acknowledgement.  There is no value in that for any serious security researcher.

The Synack Red Team is a private, freelance security research team with stringent admission standards. Just as researchers would complete technical interviews for a job with a consulting firm, our admissions board thoroughly reviews potential applicants for technical quality and professionalism prior to acceptance into our team. In addition, none of our researchers are expected to work for free; every Synack customer’s web app, mobile app, or host infrastructure listing offers financial rewards. We believe this gives us a unique opportunity to provide researchers with something more valuable than putting their name on a website and sending them a t-shirt. They have earned active membership in an exclusive, high quality vulnerability hunting program, where they are well paid and highly respected for their work.

You could say that being an active member of the Synack Red Team IS our Hall of Fame.