Presume Benevolence
Benevolence refers to the morally valuable character trait or virtue of being inclined to act to benefit others. In terms of the CVD process, we have found that it is usually best to assume that any individual who has taken the time and effort to reach out to a vendor or a coordinator to report an issue is likely benevolent and sincerely wishes to reduce the risk posed by the vulnerability. While each reporter may have secondary motives (such as those listed in Table 1 below), and may even be difficult to work with at times, allowing negative associations about a CVD participants' motives to accumulate can color your language and discussions with them.
Balancing Trust and Skepticism
This isn't to say you should maintain your belief that researcher is acting in good faith when presented with evidence to the contrary. Rather, one should keep in mind that participants are working toward a common goal: reducing the harm caused by deployed insecure systems.
Finder/Reporter Motivations
I Am the Cavalry describes Finder/Reporter motivations thus:
Finder / Reporter Motivation | Summary | Description |
---|---|---|
Protect | make the world a safer place | These researchers are drawn to problems where they feel they can make a difference. |
Puzzle | tinker out of curiosity | This type of researcher is typically a hobbyist and is driven to understand how things work. |
Prestige | seek pride and notability | These researchers often want to be the best, or very well known for their work. |
Profit | to earn money | These researchers trade on their skills as a primary or secondary income. |
Politics | ideological and principled | These researchers, whether patriots or protestors, strongly support or oppose causes. |
NTIA Insights
In 2016, the Awareness and Adoption Group within the NTIA Multistakeholder Process for Cybersecurity Vulnerabilities surveyed security researchers and vendors, finding that:
- 92% of researchers participate in some form of CVD.
- 70% of researchers expected regular communication from the vendor about their report. Frustrated expectations were often cited as the reason for abandoning the CVD process
- 60% of researchers cited threat of legal action as a reason they might not work with a vendor to disclose
- 15% of researchers expected a bounty in return for their disclosure