Developing policy to protect hackers that participate in Vulnerability Disclosure Programs and Bug Bounties is paramount to Bugcrowd. Anti-hacking laws around the world such as the Computer Fraud and Abuse Act (CFAA) are built on the idea that a hacker is a bad person by default, and don’t make room for bounty hunters and good-faith hackers to do their work safely.

Until these anti-hacking laws evolve (and as vulnerability disclosure, bug bounty, and crowdsourced security programs grow), there’s a clear need to create and standardize legal “band-aids” to bridge this legislative gap.

This movement, led by Casey Ellis (Open Source Vulnerability Disclosure Framework) and Amit Elazari (#legalBugBounty), has resulted in

We are very happy to announce beginning today all Bugcrowd VDP or Bug Bounty programs will include messaging as the default policies within the program briefs. Our Solutions Architecture team leads these discussions with every client on how to protect hacker rights when participating in these programs, focusing on the following areas:

  • “Ground Rules”: describe how to perform security testing responsibly
  • Safe harbor: provide references to CFAA protections and DMCA protections for hackers
  • Terms & Conditions: eliminate Ts&Cs that would interfere with conducting good faith security research.
  • and more…

(snippet discussed during brief creation)

We are excited about this important milestone and encourage customers to keep the policies in their program scopes, providing Safe Harbor to researchers and protecting their ability to perform security testing. We also hope this step will be a catalyst for the industry, helping mature safe harbor policies even further.

In the near future we plan to indicate which programs on Bugcrowd adhere to the policies or at the very minimum provide safe harbor to researchers.

We also want to take this opportunity for all customers, researchers, and subject matter experts to participate in the discussion around Safe Harbor, and to contribute to ongoing revisions for the templates (hosted on GitHub). Our dream-state is for to be a living breathing standard for Safe Harbor, much the way Bugcrowd’s Vulnerability Rating Taxonomy is for vulnerability technical impact.

Happy (and safe) hacking!