Not a week goes by without another major business or Internet service announcing a data breach. And while many companies have begun to adopt bug bounty programs to encourage the reporting of vulnerabilities by outside security researchers, they’ve done so largely inconsistently. That’s the reason for Disclose.io, a collaborative and open source effort to create an open source standard for bug bounty and vulnerability-disclosure programs that protects well-intentioned hackers.
The lack of consistency in companies’ bug-disclosure programs—and the absence of “safe harbor” language that protects well-intended hackers from legal action in many of them—can discourage anyone who discovers a security bug from reporting it. And vague language in a disclosure program can not only discourage cooperation but can also lead to public-relations disasters and a damaged reputation with the security community, as happened with drone maker DJI last November.
Dropbox moved to fix its own vulnerability disclosure terms and was motivated to change its own legal policies following a certain lawsuit against a reporter over a vulnerability disclosure. Companies that manage bug bounties for large organizations, including HackerOne and Bugcrowd, have made their own efforts to get customers to standardize security terms.
But these efforts haven’t been translating into a wider adoption of those best practices—which is why Disclose.io was formed. The project has its roots in two separate-but-similar efforts being rolled into Disclose.io. The first is #LegalBugBounties, which is an effort started by Amit Elazari, a doctoral candidate at the University of California at Berkeley School of Law and a grantee of the university’s Center for Long-Term Cybersecurity. The second is the Open Source Vulnerability Disclosure Framework, an effort launched in April by Bugcrowd and the law firm CipherLaw.
Casey Ellis, the founder and CTO of Bugcrowd, said that allowing white-hat hackers to actively look for vulnerabilities “can be a frightening concept for people who build, run, and protect software, but it’s necessary to compete against the adversaries that are out there. Standardization is the best way to negate any legal or reputational blowback while still attracting the best hunters to your program.”
And there are other potential benefits of broad standardization. In a paper published in May, Elazari asserted that “by employing standardized boilerplate language for safe harbor, bug bounties offer a unique opportunity to affect the legal landscape of white-hat hacking at scale as a form of private regulation.”
Because of what Elazari describes as the “murky landscape of anti-hacking laws”—such as the Computer Fraud and Abuse Act and the Digital Millennium Copyright Act—bug bounty programs “present an interesting case study for how contracts could foster security research instead of stifling it.”
The efforts by Elazari and Bugcrowd have already won new converts. Elazari’s work was cited by Mozilla executives as the inspiration for recent changes in Mozilla’s bug bounty program. And given how regulated information security practices have become in some industries—and how badly legislation regarding any sort of hacking has been handled over the past few years—using “open source,” battle-tested boilerplate contracts to speed adoption of disclosure and bug bounty programs might be a lot easier and a lot less expensive than anything mandated by new government regulation.
Be the first to comment