Open source responsible disclosure framework released

Bugcrowd, known for crowdsourced security testing, publicly released a new guide for companies looking to set up their own responsible disclosure programs.

Developed in collaboration with information security attorney Jim Denaro from CipherLaw, the new Creative Commons-licensed Open Source Responsible Disclosure Framework is designed to enable companies to set up a responsible disclosure program to more quickly and smoothly prepare their organization to work with the independent security researcher community, while reducing the legal risks to researchers and companies.

“Bugcrowd is all about connecting independent security researchers with companies big and small,” said Casey Ellis, CEO and co-founder of Bugcrowd. “Security researchers are constantly finding new vulnerabilities in software, websites and applications of all sorts. The key to collaborating with independent security researchers and white hat hackers is establishing clarity and trust; this framework is one more way of ensuring that collaboration happens.”

This new framework includes a responsible disclosure policy that provides additional legal assurances for independent security researchers who are looking for ways to responsibly disclose vulnerabilities in websites, applications or software. Policies such as these can help align the expectations of researchers and companies throughout the disclosure process. This policy is intended to be posted to a company’s website or added to the Terms of Service for specific application or software, and can be adopted by most organizations with only a few small modifications.

“Security vulnerabilities threaten many critical systems, such as medical devices, automobiles, and systems that store personal confidential information,” said Jim Denaro, founder of CipherLaw. “We need to ensure that independent researchers with the skills to find these vulnerabilities are not discouraged from reporting them because of the legal risks. This framework will help researchers to continue their important work.”

Together, the policy and associated best practices guide provides an overview of the basic processes needed for companies who are interested in establishing a responsible disclosure program, but do not yet have one in place.

The framework is available at GitHub.