Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.


This isn't to say you should maintain your belief that researcher is acting in good faith when presented with evidence to the contrary. Rather, one should keep in mind that participants are working toward a common goal: reducing the harm caused by deployed insecure systems. I Am the Cavalry describes Finder/Reporter motivations thus ([1)]:

Table 1: I Am the Cavalry's Finder / Reporter Motivations


The Awareness and Adoption Group within the NTIA Multistakeholder Process for Cybersecurity Vulnerabilities ([2) ] surveyed security researchers and vendors, finding that ([3)]:

  • 92% of researchers participate in some form of CVD.
  • 70% of researchers expected regular communication from the vendor about their report. Frustrated expectations were often cited as the reason for abandoning the CVD process
  • 60% of researchers cited threat of legal action as a reason they might not work with a vendor to disclose
  • 15% of researchers expected a bounty in return for their disclosure


< 2.1. Reduce Harm | 2.3. Avoid Surprise >


  1. I Am The Cavalry, "5 Motivations of Security Researchers," [Online]. Available: [Accessed 17 May 2017].
  2. National Telecommunications and Information Administration, "Multistakeholder Process: Cybersecurity Vulnerabilities," 15 December 2016. [Online]. Available: [Accessed 17 May 2017].
  3. NTIA Awareness and Adoption Working Group, "Vulnerability Disclosure Attitudes and Actions: A Research Report from the NTIA Awareness and Adoption Group," 15 December 2016. [Online]. Available: [Accessed 6 June 2017].