Disclose.io: A safe harbor for hackers disclosing security vulnerabilities

The laws are murky when it comes to responsible disclosure of bugs, but Disclose.io intends to make things more clear-cut.

Bugcrowd has launched Disclose.io, a "safe harbor" framework intended to assist security researchers caught in the gulf between legality and responsible disclosure.

The laws around vulnerability reports are gray at best. Some vendors have dedicated bug bounty programs which give hackers an avenue to report security vulnerabilities directly, not only to give affected companies a chance to patch the problem before threat actors learn of them but also in order to secure credit and financial rewards.

Sometimes, however, companies are not pleased to receive such reports. This year, a security researcher and two reporters ended up facing court over the disclosure of vulnerabilities and the threat of such lawsuits can have a chilling effect on the security community at large.

Censorship and the threat of court cases are only some of the problems that white hat hackers face.

Proposed changes made to the Wassenaar Arrangement and export controls originally threatened to make legal vulnerability disclosure almost impossible; but thankfully, changes are now hopefully being made which will keep cybersecurity researchers in the clear.

Despite the work of many security experts and long discussions resulting in a victory when it comes to the Wassenaar Arrangement, vulnerability disclosure can still be a legal minefield.

The US Computer Fraud and Abuse Act (CFAA) and Digital Millennium Copyright Act (DMCA) have also proved ambiguous and sometimes painful for cybersecurity. In one particular case, for example, a researcher allegedly discovered that a vendor had left private credentials unsecured on GitHub.

When the issue was reported, the company in question attempted to silence the researcher by threatening to prosecute them under CFAA.

TechRepublic: Top 5: Reasons you need a bug bounty program

It's a troubling time, compounded by the accelerated rate in which cyberattacks ranging from data breaches to attacks on critical infrastructure appear to be taking place.

However, Bugcrowd hopes that a new legal framework can reduce the looming shadow of lawsuits and bring everyone on to the same page.

See also: Bug bounties: 'Buy what you want

Disclose.io is billed as a "collaborative and vendor-agnostic project to standardize best practices around safe harbour for good-faith security research."

In partnership with security researcher Amit Elazari, the new scheme aims to give both researchers and vendors clear scope when it comes to vulnerability disclosure, whether privately or through bug bounty programs.

Disclose.io builds upon CipherLaw's Open Source Vulnerability Disclosure Framework, work conducted by Bugcrowd, Elazari's #legalbugbounty safe harbor project and Dropbox's pledge to protect security researchers.

The legal framework attempts to balance clear, concise language, legal requirements, safe harbor elements for both program owners and researchers, as well as readability for those without a legal background.

CNET: Facebook launches bug bounty program to report data thieves

Companies which choose to display the framework's logo will be committing themselves to a set of terms which create a safe harbor for research conducted in good faith.

They must also provide clear definitions regarding research scope, official communication channels for responsible disclosure, as well as a formal disclosure policy.

"We're in the business of finding vulnerabilities by introducing and encouraging the intelligence and creativity of the white-hat hacker community," said Casey Ellis, Bugcrowd founder, and CTO. "This can be a frightening concept for people who build, run and protect software, but it's necessary to compete against the intelligence of the adversaries that are out there. Standardization is the best way to negate any legal or reputational blowback while still attracting the best hunters to your program."

At the same time as the launch of Disclose.io, Bugcrowd also announced a partnership with the California Cybersecurity Institute (CCI) at Cal Poly to run a two-year research program into how to train the next generation of cybersecurity researchers.

Previous and related coverage