In this week’s Risk & Repeat podcast, SearchSecurity editors discuss the Disclose.io project and what it could mean for the future of security research and vulnerability disclosure.
Bug hunting and vulnerability disclosure can sometimes be risky tasks in the eyes of the law, but some experts are hoping to take the fear of legal action out of security research.
A new framework called Disclose.io aims to protect researchers participating in bug bounties from legal action under such laws as the Computer Fraud and Abuse Act (CFAA) and the Digital Millennium Copyright Act (DMCA).
The open source, vendor-agnostic project was launched by Amit Elazari, a University of California, Berkeley doctoral candidate and bug bounty legal expert, in collaboration with bug bounty platform provider Bugcrowd Inc. According to the project’s website, the vulnerability research framework can be employed by enterprises and government organizations to give researchers acting in good faith exemption from prosecution under the CFAA and DMCA.
Currently, 21 organizations have pledged support for the Disclose.io project. The framework arrives at a time when experts such as Bugcrowd CTO Casey Ellis have expressed concern about the future of good faith security research.
Will more organizations support the Disclose.io project? Can the framework encourage more researchers to participate in bug bounties? Are companies making the vulnerability reporting process too cumbersome and intimidating for researchers? SearchSecurity editors Rob Wright and Peter Loshin discuss those questions and more in this episode of the Risk & Repeat podcast.