The National Cyber Security Centre (NCSC) in the UK is enhancing its approach to vulnerability research by collaborating with outside entities instead of solely depending on internal analysts.

This new effort, named the Vulnerability Research Initiative (VRI), expands upon current external collaborations and has garnered general approval from the cybersecurity sector.

The NCSC noted that it already collaborates closely with the UK government, tech firms, and the broader public to identify security flaws, offer guidance on online safety, and address cyber incidents.

However, the Vulnerability Research Initiative (VRI) represents a more cooperative model that brings in specialized cybersecurity knowledge from beyond the agency.

“The VRI aims to enhance the UK’s capability in conducting vulnerability research,” the NCSC stated when announcing the initiative.

“We collaborate with top-tier external vulnerability researchers to gain in-depth insights into security across a wide array of technologies we prioritize. The external VRI community also helps us develop tools and methodologies for identifying vulnerabilities,” the statement continued.

The organization also detailed the composition of the core VRI team, which includes technical specialists, relationship coordinators, and project managers. However, further specifics—such as the identities of external partners involved—are still unclear.

Kevin Robertson, CTO of Acumen Cyber, described the project as “theoretically promising” but pointed out that the NCSC has previously launched programs that were “l(fā)argely ineffective and self-serving,” suggesting this one could similarly fail to deliver real impact.

Still, others in the industry responded more favorably to the announcement.

Kev Breen, senior director of cyber threat research at Immersive, praised the move as a proactive measure in detecting and addressing security risks.

“There's a wealth of expertise available publicly, especially in niche research fields,” he remarked.

“It would be unrealistic for the NCSC to maintain all the required skills, time, and resources necessary to hunt bugs across every domain.

“Opening up the VRI to the broader research community through invitations or applications is a smart way to expand their pool of knowledge.”

Will the NCSC program be sufficient?

Breen did note, however, that the absence of financial incentives—like those seen in bug bounty programs—might discourage many researchers from participating.

For instance, Google pays between $100 and $31,337 for qualifying bugs, as reported by Geeks for Geeks.

Microsoft also runs multiple bounty programs, offering up to $300,000 for Azure-related vulnerabilities or up to $30,000 for issues found in Windows Insider Preview builds.

In terms of hardware, Intel provides rewards ranging from $500 to $100,000 per valid report, depending on the severity and type of the vulnerability.

Stay updated with php.cn via Google News for the latest news, expert analysis, and reviews.

The above is the detailed content of Industry welcomes the NCSC’s new Vulnerability Research Initiative – but does it go far enough?. For more information, please follow other related articles on the PHP Chinese website!