The work done by the security research community has become critical for network protection – and this has translated into the strong and steady growth of the vulnerability research market.
While still divided on a few topics, security professionals and software vendors alike recognize the importance of responsible vulnerability research, and are working to improve the quality of the software.
New analysis from Frost & Sullivan, "World Vulnerability Research Markets Q3-2008", finds that 74 vulnerabilities were disclosed in the third quarter of 2008. Although this number is a decrease from previous periods, the total number of vulnerabilities is expected to keep climbing steadily in the future.
"Software and technology improve productivity, but also carry the potential to expose users to cyber attacks," explains Frost & Sullivan research analyst Christopher Rodriguez. "The more people realise the value of vulnerability information, and established researchers become more proficient, the more the market will grow."
However, many in the security community remain divided on the topic of contribution compensation programmes, further blurring the lines between responsible disclosure and full disclosure. Although many software vendors understand the importance of vulnerability research, a few are still unco-operative.
"While the vulnerability research market is highly dynamic, there remain only a few companies that walk the line ethically," adds Rodriguez. "This market faces several polarised points of debate and has much more potential for growth than it has shown so far."
The market can expand significantly with the release of each new application. Automated testing tools such as fuzzers now help researchers to find bugs faster. Additionally, researchers may also be drawn to the financial rewards offered by organisations with "bug bounty" programmes.
These bounty programmes provide few barriers to entry, as demonstrated by the meteoric rise of market entrants. Companies backed by sufficient financial resources could quickly jump to the top of the discloser lists.