A degree of community outreach is an important part of any CVD process. Not everyone shares the same values, concerns, perspectives, or even ethical foundations, so it's not reasonable to expect everyone to play by your rules. Keeping that in mind, we've found that it's usually better to reward good behavior than try to punish bad behavior. Such incentives are important as they increase the likelihood of continued cooperation between CVD participants.
Incentives can take many forms:
- Recognition – Public recognition is often used as a reward for "playing by the rules" in CVD.
- Gifts – Small gifts (or "swag") such as T-shirts, stickers, and so forth give researchers a good feeling about the organization.
- Money – Bug bounties can turn CVD into piece work.
- Employment – We have observed cases where organizations choose to hire the researchers who report vulnerabilities to them, either on a temporary (contract) or full-time basis. This is of course neither required nor expected, but having a reputation of doing so can be an effective way for a vendor to encourage positive interactions.