Bugcrowd and Amit Elazari, a University of California, Berkeley doctoral candidate and CLTC grantee, announce the launch of Disclose.io — a project to standardize practices for providing a safe harbor for security researchers within bug bounty and vulnerability disclosure programs (VDPs).
Current U.S. anti-hacking laws, such as the Computer Fraud and Abuse Act (CFAA) and the Digital Millennium Copyright Act (DMCA), along with public incidents have had a chilling effect on the security researcher community.
The ambiguity of existing laws and lack of framework surrounding protocols for “good faith” security testing has sometimes resulted in legal threats, unlawful criminal punishment, and even jail for ethical hackers working to improve global security.
Disclose.io enables organizations to protect both themselves and researchers submitting to their bug bounty and vulnerability disclosure programs by incorporating safe harbor language outlining authorization, with clear scope.
Disclose.io is a framework that expands on the work done by Bugcrowd and CipherLaw’s Open Source Vulnerability Disclosure Framework, Amit Elazari’s #legalbugbounty, and Dropbox to protect security researchers.
Establishing language before launching a program has a two-fold benefit: organizations feel safe and avoid situations such as extortion or reputational damage, while security researchers who are acting in good faith can report bugs without facing legal repercussions.
“We’re in the business of finding vulnerabilities by introducing and encouraging the intelligence and creativity of the white hat hacker community. This can be a frightening concept for people who build, run and protect software, but it’s necessary to compete against the adversaries that are out there,” said Casey Ellis, Bugcrowd founder and CTO.
“Standardization is the best way to negate any legal or reputational blowback, while still attracting the best hunters to your program.”
The design philosophy of the Disclose.io framework is to balance four forces:
- Legal completeness,
- Safe harbor for security researchers,
- Safe harbor for program owners, and
- Readability for those who don’t have a legal background or who don’t speak English as a first language.
“More often than not, companies (usually unintentionally) omit legal safe-harbor language in their contracts. Yet, this is the very language necessary to allow hackers to find and responsibly disclose software vulnerabilities legally,” said Amit Elazari, a University of California, Berkeley doctoral candidate, CLTC Grantee and an expert in the legalese of bug bounties.
“The biggest challenges are not just providing authorization to hack, but also providing clear guidelines with concrete examples and communicating your expectations to the Crowd in order to mitigate confusion, as well as mapping third-party interests in your Scope.”
Organizations displaying the Disclose.io logo are committing to a set of Core Terms focused on creating safe harbor for good-faith security research.
In order to uphold this commitment, participating organizations are also required to provide clear definitions regarding the permitted Scope for research, one or more Official Communication Channels, and a formal Disclosure Policy.
Currently, around 18 companies running bug bounty and VDP programs have adopted language that follows current DOJ guidelines on legal safe harbor for security research and also address the DMCA. Hackers, lawyers and programs owners are encouraged to participate and collaborate on the ongoing project.