Bugcrowd released disclose.io, the open-sourced safe harbor project, in August 2018. Since then, we’re pleased to report that companies have been leaning into the need for a safer and easier-to-navigate legal environment for whitehat hackers. To help this along, we’ve made several steps forward with the project.
Our first move was to launch all new programs on the Bugcrowd platform with safe harbor for researchers as an opt-out default. Almost all new companies have opted to launch their programs with these protections in place, which says a lot about how companies think of hackers these days!
We also rebooted “The List,” which is our community-powered disclosure directory. The goal of this piece is to not only shine a light on Bugcrowd-run programs, but also on disclosure and bounty programs all over the world that a) invite good-faith hackers to help and b) go the extra mile by offering safe harbor. In the short time The List has been published in its new form, we have had dozens (35) of additions by the community, and several contributions and discussions on usability, scope, schema, and corrections.
We are tremendously happy with these results! The adoption of safe harbor by industry leaders is a big success for Bugcrowd and the disclose.io project. Overall, also an important step forward for the future of hackers and organizations working together to make our digitally-connected world safer.
In our next step ahead, to better recognize companies adopting safe harbor and to make it easier for hackers to find these best-in-class programs, today, we are delighted to announce advanced filtering for The List!
As a researcher, you can now filter for your favorite flavor of public program, including those that proactively provide safe harbor in their legal terms. Filters are available for:
- New programs
- Safe harbor
- Paid programs
- Swag programs
- Hall of Fame programs
One other piece of news: The Bugcrowd team has been actively evangelizing safe harbor and submitting to conference CFPs all around the world – and we’re so proud to say that we’ve been getting accepted to almost all of them! This speaks volumes on the adoption of safe harbor and disclose.io, and implies great things about the future of builders and breakers working together.
We’d like to thank:
- BSides London
- CarolinaCon
- The Ethical Hacker Network
- NorthSec
- Nullcon
- OWASP Seasides
- University of California, Berkeley and Amit Elazari
Finally, we would like to thank the many individual contributors and champions for their support on this project through PRs, suggestions, and engagement with the disclose.io Github repo:
- Aagam Shah
- Abartan Dhakal (Stickman Consulting)
- Barnett Klane (Bugcrowd)
- Beau Woods (I am the Calvary)
- Casey Ellis (Bugcrowd)
- Chris Raethke
- Dan Trauner (Bugcrowd)
- David Chou (Bugcrowd)
- EdOverflow
- Gianluca Varisco (Arduino)
- Jack Cable
- Jack McCracken (Shopify)
- Leif Dreizler (Segment)
- Micah Wells (CarGurus)
- Nick Darlow
- Tomáš Polešovský
So, what’s next?
We need your help! Our goal is to have every organization offer a proactive vulnerability disclosure policy, and for that policy to include safe harbor for good-faith hackers. Here’s what YOU can do:
- Submit PRs to include missing programs on The List – get them the praise they deserve and get credit for helping this movement out
- If your organization runs a VDP, consider adding the disclose.io safe harbor terms
- If your organization doesn’t run a VDP, talk to them about getting a policy, an intake channel, and a vulnerability coordination/remediation process established.
#ittakesacrowd
