Benevolence refers to the morally valuable character trait or virtue of being inclined to act to benefit others. In terms of the CVD process, we have found that it is usually best to assume that any individual who has taken the time and effort to reach out to a vendor or a coordinator to report an issue is likely benevolent and sincerely wishes to reduce the risk posed by the vulnerability. While each reporter may have secondary motives (such as those listed in Table 1 below), and may even be difficult to work with at times, allowing negative associations about a CVD participants' motives to accumulate can color your language and discussions with them.
This isn't to say you should maintain your belief that researcher is acting in good faith when presented with evidence to the contrary. Rather, one should keep in mind that participants are working toward a common goal: reducing the harm caused by deployed insecure systems. I Am the Cavalry describes Finder/Reporter motivations thus (1):
Table 1: I Am the Cavalry's Finder / Reporter Motivations
Finder / Reporter Motivation
make the world a safer place. These researchers are drawn to problems where they feel they can make a difference.
tinker out of curiosity. This type of researcher is typically a hobbyist and is driven to understand how things work.
seek pride and notability. These researchers often want to be the best, or very well known for their work.
to earn money. These researchers trade on their skills as a primary or secondary income.
ideological and principled. These researchers, whether patriots or protestors, strongly support or oppose causes.
The Awareness and Adoption Group within the NTIA Multistakeholder Process for Cybersecurity Vulnerabilities (2) surveyed security researchers and vendors, finding that (3)
- 92% of researchers participate in some form of CVD.
- 70% of researchers expected regular communication from the vendor about their report. Frustrated expectations were often cited as the reason for abandoning the CVD process
- 60% of researchers cited threat of legal action as a reason they might not work with a vendor to disclose
- 15% of researchers expected a bounty in return for their disclosure
- I Am The Cavalry, "5 Motivations of Security Researchers," [Online]. Available: https://www.iamthecavalry.org/motivations/. [Accessed 17 May 2017].
- National Telecommunications and Information Administration, "Multistakeholder Process: Cybersecurity Vulnerabilities," 15 December 2016. [Online]. Available: https://www.ntia.doc.gov/other-publication/2016/multistakeholder-process-cybersecurity-vulnerabilities. [Accessed 17 May 2017].
- NTIA Awareness and Adoption Working Group, "Vulnerability Disclosure Attitudes and Actions: A Research Report from the NTIA Awareness and Adoption Group," 15 December 2016. [Online]. Available: https://www.ntia.doc.gov/files/ntia/publications/2016_ntia_a_a_vulnerability_disclosure_insights_report.pdf. [Accessed 6 June 2017].