Open source Disclose.io framework bridges legal gap in bug reporting

Bugcrowd CTO Casey Ellis discusses how the guidelines can help both researchers and companies to address vulnerabilities

Earlier this month, Bugcrowd launched a new reporting framework that aims to further protect security researchers, create a “safe harbour” for ethical hackers, and address legal risks when it comes to disclosures.

The Disclose.io project is a new set of open-source vulnerability guidelines written with both researchers and organizations in mind.

In an increasingly digital world, companies and vendors are turning to white hat hackers to help bolster their security measures and protect their business.

But sometimes, even the most responsible of researchers can be stung.

Threats and other legal complications are just some of the risks faced by researchers, and companies also face dangers too – reputation damage being just one concern.

Casey Ellis, founder and CTO of Bugcrowd, spoke to The Daily Swig via email about how Disclose.io can address these issues, and how it could transform the way we report vulnerabilities globally.

What sparked the idea for Disclose.io? Was it in response to a specific incident?

Casey Ellis: Federal anti-hacking laws currently aren’t up to speed with the way security vulnerabilities are often identified and patched.

The Computer Fraud and Abuse Act and the Digital Millennium Copyright Act don’t include safe harbor for researchers who disclose bugs, causing a legal gap that discourages ethical hacking. Further, companies have taken legal action — or threatened it — against those who have found serious vulnerabilities.

Disclose.io offers a stopgap for people and organizations to take advantage of until these protections are built into policies.

Why is there a need for Disclose.io when there are already popular disclosure programs?

CE: Disclose.io is a framework that expands on the leading work done by Bugcrowd and CipherLaw's Open Source Vulnerability Disclosure Framework, Amit Elazari’s legal bug bounty, and Dropbox.

Establishing clear language before launching a program has a two-fold benefit: Organizations feel safe and avoid situations such as extortion or reputational damage, while security researchers who are acting in good faith can report bugs without facing legal repercussions.

How can Disclose.io protect researchers, and what kinds of protection or aid does it offer?

CE: The design philosophy of the Disclose.io framework is to balance four forces – legal completeness, safe harbor for security researchers, safe harbor for program owners, and readability for those who don’t have a legal background or who don’t speak English as a first language.

Will it also benefit organizations?

CE: Disclose.io enables organizations to protect both themselves and researchers submitting to their bug bounty and vulnerability disclosure programs by incorporating explicit safe harbor language outlining specific authorization, with clear scope.

Finally, how important are bug bounty programs to the security industry as a whole?

CE: According to Bugcrowd’s 2018 State of Bug Bounty Report, there has been an uptick of 40% in bounty programs launched within the last year, up 33% from last year.

The report found an increase across the board in the number and severity of vulnerabilities, and payouts to hackers, making it clear that companies are turning to crowdsourced security to cope with a complex threat landscape.