Although a few companies have practices that border on criminal intent, the work done by the security research community is critical for system and data protection. The necessity of this work has translated into strong and steady growth, continuing into the third quarter of 2007.
While still divided on a few topics, the market as a whole recognises the value of responsible disclosure and is working to improve the quality of the tested software.
New analysis from global growth consulting company Frost & Sullivan finds that the world vulnerability research market disclosed 147 total vulnerabilities in the third quarter of 2007. Although this number is less than the total disclosed in the second quarter of 2007, the total number of vulnerabilities has traditionally increased each quarter and is expected to climb steadily in the future.
“Each new piece of software and technology also carries with it the potential to expose its users to cyber attacks,” notes Frost & Sullivan Research Analyst Chris Rodriguez. “This being the case, the vulnerability research market has grown steadily and this trend is expected to continue, as established researchers become more proficient and more people realise the value of vulnerability information.”
In the future, the vulnerability research market should grow with the release of each new application. Automated testing tools such as fuzzers now help researchers to find bugs faster. Additionally, researchers may also be drawn to the financial rewards offered by organisations with “bug bounty” programs.
However, while the vulnerability research market is highly dynamic, there remain a few companies that walk the line ethically. Although it is only a few, it still reflects poorly on the rest of the research community. Many in the security community remain divided on the topic of contribution compensation programs, further blurring the lines between responsible disclosure and full disclosure.
“The vulnerability research market is still relatively new territory,” says Rodriguez. “This market faces several polarised points of debate and has much more potential for growth than it has shown so far.”
Demonstrated by the meteoric rise of new entrants, bounty programs provide little barriers to entry. Initially, vulnerability compensation programs were very controversial, but have increasingly gained acceptance since their inception. Companies backed by sufficient financial resources could quickly jump to the top of the discloser lists.