So what determines a report from Veracode, which reveals that only 18 % of researchers expect an economic compensation in exchange of their findings.

it Seems that the collaboration between organizations, and security researchers is a palpable reality, according to the results of the survey of Veracode Exploring the Disclosure Coordinated.

90% of respondents said that discover vulnerabilities, “the public serves a broader purpose of improving the way it develops, uses, and repairs the software”. And virtually all the software companies and researchers agree that raise awareness of the vulnerabilities is good for all, since those who are without address will end up affecting both the business and consumers and the stability of the global economy.

In this sense, are the usual disclosures were not requested of vulnerabilities. In the last twelve months, more than a third of the companies has received a report of this type, which has allowed them to work hand-in-hand with its author to correct the error. The next step would be to make it public to help others.

Veracode says that the researchers tend to be motivated to contribute to the general well-being. Or, to put it another way, only 18 % expect an economic compensation to change, and 16% looking for recognition with their finding. Meanwhile, what is expected in the 57 % of the cases is to be reported as soon as they fix the vulnerability. 47 % of the researchers want to receive regular updates on the correction and 37% would like to validate this solution.

Here it should be noted, moreover, that up to 71 % of the developers believes that security researchers should be able to perform tests not requested.

The majority of companies, 3 out of every 4, has already established a method to receive reports of researchers. For example, a 47 % have programs to bug bounty, or rewards. But Veracode specifies that only 19 % of reports of vulnerability comes through them. “If you can well form part of an overall security strategy, these programs are often inefficient and costly”, indicates the security company.

And, as the financial remuneration is not the main motivation of the disclosures, Veracode believes that “the organizations should consider focusing its limited resources on the development of secure software that find vulnerabilities within their cycle of life”.

Another fact that leaves the investigation of this company is that sometimes researchers have a unrealistic expectations regarding the time of repair. 65% expected that after reporting a bug, be fixed in less than 60 days. However, the data from Veracode reveal that more than 70 % of the breaches remains active after a month of the discovery and that about 55 % is still there after three months.