A new program aims to provide white hat hackers and companies running bug bounty and vulnerability disclosure programs with open source legal guidelines to avoid issues sometimes associated with security research.
Launched jointly on Thursday by Bugcrowd and Amit Elazari, a University of California Berkeley doctoral candidate, Disclose.io can be adopted by any organization running a bug bounty or disclosure program. The initiative offers boilerplate language that a company can use as terms between it and security researchers who want to disclose a bug.
Bugcrowd asserts that current laws, such as the Computer Fraud and Abuse Act (CFAA) and the Digital Millennium Copyright Act (DMCA) have a chilling effect on security research. Research conducted in order to find software vulnerabilities is often perceived as malicious hacking, Bugcrowd explains.
“The ambiguity of existing laws and lack of framework surrounding protocols for ‘good faith’ security testing has sometimes resulted in legal threats, unlawful criminal punishment, and even jail for ethical hackers working to improve global security,” the company said in press release.
The purpose of Disclose.io is to provide a safe harbor to ethical hackers disclosing vulnerabilities to companies, rather than having them face legal action.
“We’re in the business of finding vulnerabilities by introducing and encouraging the intelligence and creativity of the white hat hacker community. This can be a frightening concept for people who build, run and protect software, but it’s necessary to compete against the adversaries that are out there,” said Bugcrowd founder and CTO Casey Ellis in a statement. “Standardization is the best way to negate any legal or reputational blowback, while still attracting the best hunters to your program.”
The terms of Disclose.io are available on GitHub. When a company adopts the open source terms, it entails an understanding to work with researchers to validate their reports and to recognize their contribution to improving the security of the system in question. The terms also provide that the company will not seek legal action against hackers acting in good faith.
For the researchers’ part, they are expected to avoid disrupting a company’s systems, violating the privacy of others, going public with a bug before it’s fixed, and other commonly accepted ground rules in good faith security research. The terms also spell out that a researcher shouldn’t engage in extortion, which was the case last year when Uber apparently spun off an extortion attempt as a bug bounty payoff.
“More often than not, companies (usually unintentionally) omit legal safe-harbor language in their contracts. Yet, this is the very language necessary to allow hackers to find and responsibly disclose software vulnerabilities legally,” Elazari said in a statement.
The Department of Justice also provides guidelines for legal safe harbor when it comes to security research. Bugcrowd says that around 18 companies running bug bounty or vulnerability disclosure programs are using the DOJ guidelines.