In partnership with renowned security researcher, Amit Elazari, Disclose.io provides a clear legal framework to protect organizations and researchers engaged in vulnerability disclosure programs
SAN FRANCISCO — August 2, 2018 — Today, Bugcrowd, the leader in crowdsourced security, and Amit Elazari, a University of California, Berkeley doctoral candidate and CLTC grantee, are proud to announce the launch of Disclose.io — a collaborative, open-sourced and vendor-agnostic project to standardize best practices for providing a safe harbor for security researchers within bug bounty and vulnerability disclosure programs (VDPs).
Current U.S. anti-hacking laws, such as the Computer Fraud and Abuse Act (CFAA) and the Digital Millennium Copyright Act (DMCA), along with notable public incidents have had a chilling effect on the security researcher community. The ambiguity of existing laws and lack of framework surrounding protocols for “good faith” security testing has sometimes resulted in legal threats, unlawful criminal punishment, and even jail for ethical hackers working to improve global security. Disclose.io enables organizations to protect both themselves and researchers submitting to their bug bounty and vulnerability disclosure programs by incorporating explicit safe harbor language outlining specific authorization, with clear scope.
Disclose.io is a framework that expands on the leading work done by Bugcrowd and CipherLaw's Open Source Vulnerability Disclosure Framework, Amit Elazari’s #legalbugbounty, and Dropbox to protect security researchers. Establishing clear language before launching a program has a two-fold benefit: organizations feel safe and avoid situations such as extortion or reputational damage, while security researchers who are acting in good faith can report bugs without facing legal repercussions.
“We’re in the business of finding vulnerabilities by introducing and encouraging the intelligence and creativity of the white hat hacker community. This can be a frightening concept for people who build, run and protect software, but it’s necessary to compete against the adversaries that are out there,” said Casey Ellis, Bugcrowd founder and CTO. “Standardization is the best way to negate any legal or reputational blowback, while still attracting the best hunters to your program.”
The design philosophy of the Disclose.io framework is to balance four forces:
- Legal completeness,
- Safe harbor for security researchers,
- Safe harbor for program owners, and
- Readability for those who don’t have a legal background or who don’t speak English as a first language.
“More often than not, companies (usually unintentionally) omit legal safe-harbor language in their contracts. Yet, this is the very language necessary to allow hackers to find and responsibly disclose software vulnerabilities legally,” said Amit Elazari, a University of California, Berkeley doctoral candidate, CLTC Grantee and an expert in the legalese of bug bounties. “The biggest challenges are not just providing authorization to hack, but also providing clear guidelines with concrete examples and communicating your expectations to the Crowd in order to mitigate confusion, as well as mapping third-party interests in your Scope.”
Organizations displaying the Disclose.io logo are committing to a set of Core Terms focused on creating safe harbor for good-faith security research. In order to uphold this commitment, participating organizations are also required to provide clear definitions regarding the permitted Scope for research, one or more Official Communication Channels, and a formal Disclosure Policy.
Currently, around 18 companies running bug bounty and VDP programs have adopted language that follows current DOJ guidelines on legal safe harbor for security research and also address the DMCA. Hackers, lawyers and programs owners are encouraged to participate and collaborate on the ongoing project which can be viewed on GitHub here.
Bugcrowd is the #1 crowdsourced security platform. More enterprise organizations trust Bugcrowd to manage their bug bounty, vulnerability disclosure, and next-gen pen test programs. By combining the largest, most experienced triage team with the most trusted hackers around the world, Bugcrowd generates better results, reduces risk through remediation advice, and empowers organizations to release secure products to market faster — with no hidden fees. Based in San Francisco, Bugcrowd is backed by Blackbird Ventures, Costanoa Ventures, Industry Ventures, Paladin Capital Group, Rally Ventures, Salesforce Ventures and Triangle Peak Partners. Bugcrowd. Outhack Them AllTM. Learn more at www.bugcrowd.com.