Despite the overall increase in companies offering bug bounty rewards to those who find and report vulnerabilities, ethical security research can still be a bit of a legal minefield. For example, back in May 2018 it fell to Governor Nathan Deal of Georgia to veto a bill that would have made even it difficult to do basic, ethical cybersecurity research. In addition, there is little in the way of a coherent framework for reporting bugs, creating a wide disparity between companies on what constitutes legal disclosure. In some instances, this has led to a reluctance among some white hat hackers to disclose vulnerabilities they’ve discovered.
Enter Disclose.io, an open-sourced collaborative project that hopes to combat confusion regarding vulnerability disclosure and “standardize best practices around safe harbor for good-faith security research.” According to their Website, the project builds out on three existing actions: Bugcrowd and CipherLaw’s Open Source Vulnerability Disclosure Framework, Amit Elazari’s #legalbugbounty, and Dropbox’s Vulnerability Disclosure Policy.
Sean Gallagher, writing for Ars Technica suggests that even with some of the efforts of companies like Dropbox clarifying their position, there is still a great deal of confusion opening the doors to lawsuits against reporters and researchers and reputational damage to companies who take action against those who ethically report bugs.
It’s understandable that some companies could react negatively to learning about vulnerabilities in their code or product from someone outside the organization. However, as Casey Ellis, the founder and CTO of Bugcrowd states that while the experience “can be a frightening concept for people who build, run, and protect software” it’s necessary to “compete against the adversaries that are out there.” Regarding Bugcrowd’s own bug disclosure framework, and that of Disclose.io, Ellis suggests that “standardization is the best way to negate any legal or reputational blowback while still attracting the best hunters to your program.”
Gallagher points out that efforts to standardize safe harbor language is already starting to bear fruit in the real world. He cites Mozilla’s recent changes to their bug bounty program as an example of an organization making a best effort to contract with ethical hackers to the benefit of both sides.