That feels a bit like "We found these vulnerabilities. You should pay us. It would be a shame if anything happened to your website"

If you do it right, it won't. Many security audit companies are asked to do test audits, and I've seen security audit contracts starting with responsible disclosure of vulnerabilities. Of course, certain amount of trust is necessary so the sides have to behave in a way that is conductive to the establishment of the trust.

> I've seen security audit contracts starting with responsible disclosure of vulnerabilities.

But was that

"We found a hole, here it is." "Thanks! Your good at that" "I know, want to hire us?"

or

"We found a hole. Pay us and we'll tell you."

Because those are very different approaches.

You'd need some pretty iron-clad liability waivers... if you miss something, you're opening yourself up for a "malpractice" sort of scenario.

Liability can be addressed with non-reliance disclosures.

Bigger issue is a market problem. People who need the help the most do not know they need it.

But then, you'd basically be getting paid for maybe kinda helping secure software.

Cigital does exactly this and more. We've even got a plugin for Eclipse that will provide suggestions on secure coding for Java.

Info about the QA/Security Consulting: http://www.cigital.com/services/

Secure coding plugin - http://www.cigital.com/products/secureassist/

Looks like Code Climate is providing an automated service like this for Rails apps: https://codeclimate.com/security-monitor

There are loads of companies already doing this, at least in the UK. They find the holes and you fix them.

The space is dominated by security oriented companies. Bugs are oftentimes not security issues though.

List please? I've tried Googling and not found them.

I guess one of the reasons is that it's much easier to fix those problems than to find them.