Companies offering a security bug bounty must include provisions to protect researchers
More needs to be done to establish a framework that will allow ethical hackers to look for flaws on websites without risking potential prosecution.
Hundreds of organizations have left out the welcome mat for hackers to find bugs in their systems via vulnerability disclosure, bug bounty, and advanced pen test programs.
Despite this, prosecution under anti-hacking laws is still a risk – a potential threat that can be removed if site owners include safe harbor language within their program policies.
Chloé Messdaghi, security researcher advocate at Bugcrowd, told delegates at BSides London today that the bug bounty market has developed so quickly that many programs fail to address the issue.
The omission of a safe harbor policy is often unintentional, Messdaghi said, adding that while organizations need to lift legal uncertainties, they often lack the knowledge to change their policies.
Safe harbor policies enable program owners to incentivize ethical hackers while setting the bounds of what’s allowed and retaining the scope to take enforcement action against malicious hackers.
Bugcrowd is backing a “standardized, open source, easily readable legal boilerplate for disclosure” for program owners, said Messdaghi.
The framework would also offer a ready mechanism for hackers to report bugs, for example through a dedicated email address.
Messdaghi explained that safe harbor language reduces ambiguity in what would otherwise be a grey area of the law.
Disclose.io – a project launched by Bugcrowd and Amit Elazari and and run by hacking community and program managers – is spearheading the effort.
A Canadian version of the program is due to be introduced in two weeks’ time.
“We want to bring it to the UK,” Messdaghi said, adding that Bugcrowd and its partners welcomed the support of legal experts and corporations interested in taking on the scheme.
Last month, enterprise software giant Atlassian underlined its commitment to protecting security researchers by adding a safe harbor clause to its own bug bounty program rules.
“At Atlassian, we are concerned that some researchers participating in other programs have found themselves threatened with legal action after acting in good faith,” said the company’s Ethan Dodge.
“Atlassian is proud to announce our adoption of a safe harbor clause. So long as they are acting in good faith and following all other rules of our bounty program, [researchers] will never face any legal repercussions from Atlassian.”