Disclose.io is a new project that promotes a framework for the standardization of norms for vulnerability disclosure with the intent to remove the threat of criminal or civil prosecution of cybersecurity researchers, a long-standing obstacle to more open research and sharing of vulnerabilities by independent experts.
Describing itself as “a collaborative and vendor-agnostic project to standardize best practices around safe harbor for good faith security research,” Disclose.io was jointly announced this week by bug bounty company Bugcrowd and Amit Elazari, a University of California, Berkeley, doctoral candidate and bug bounty legal expert. The project addresses the lack of consistency in policies on vulnerability disclosure, the need to keep researchers safe from legal action by companies with vulnerabilities and a framework to provide researchers with a “safe harbor” from prosecution under the Computer Fraud and Abuse Act (CFAA) or the Digital Millennium Copyright Act (DMCA).
So far, Elazari has listed 21 organizations — up from 18 when the announcement was first made — that have adopted language in their bug bounty programs that follow Department of Justice guidelines for protecting bug bounty participants from prosecution under the CFAA and that also address DMCA issues.
“With growing attention to this issue and increasing adoption of bug bounties in general, as well as the emergence of best practices, I hope adoption within big players will rise,” Elazari wrote by email. “Hackers are also becoming more aware to this issue and with time safe harbor will hopefully become a competitive feature of the program — a way to get more professional eyeballs on your code. This trend will continue as long as the law continues to be murky — and that is the case especially with the CFAA.”
The Disclose.io framework builds on the Open Source Vulnerability Disclosure Framework from Bugcrowd and tech-focused law firm CipherLaw, as well as Elazari’s own #legalbugbounty standardization project, both of which provide guidance on ways to keep participants safe from prosecution under the CFAA or the DMCA for companies setting up their own vulnerability disclosure programs.
Organizations that have adopted safe harbor terms in their bug bounty or vulnerability disclosure programs include Bugcrowd, as well as Dropbox, HackerOne and Mozilla.
Risks of vulnerability disclosure
The Disclose.io project comes from the intent to protect both cybersecurity researchers from the risk of legal proceedings as a result of them disclosing vulnerabilities, as well as to protect program owners from individuals who discover vulnerabilities and act in bad faith; for example, some individuals may have ulterior motives and use bug bounty programs to gain unauthorized access to the program owner’s resources.
However, some organizations attempt to shift some of the risks of bug bounty hunting to the bug hunters, especially when bug bounty participants are not explicitly granted full authorization to all relevant assets.
“Not providing authorization is shifting the legal risk to the hacker. Since these are take-it-or-leave-it contracts, lawyers might be inclined to protect their own organization interests. The main practical barrier for adoption of safe harbor is it actually requires obtaining the rights to authorization in all assets and careful scoping and policy drafting,” Elazari wrote. “When you are authorizing access you are clarifying that one must follow the guidelines to get it, and that’s why it works well for both parties because it signals to the hacker what are the rules. If you intentionally violate the rules — you don’t get the safe harbor.”
In other news
- Facebook security chief Alex Stamos is leaving the social networking giant and starting a research and teaching role as an adjunct professor at Stanford University’s Freeman-Spogli Institute for International Studies (FSI). His last day at Facebook is Aug. 17, almost precisely five months after The New York Times reported that his “impending exit” was set for August. Prior to his stint at Facebook, Stamos was CISO at Yahoo. In a message posted on his Facebook page, Stamos wrote that he would be continuing his work on “understanding and preventing the misuse of technology,” and would be launching “a course teaching hands-on offensive and defensive techniques and to contribute to the new cybersecurity master’s specialty” at FSI.
- Congress passed a bill this week that will force tech companies to disclose to the Pentagon if they have allowed foreign governments to examine their software if it was sold to the U.S. military. The legislation was included in the Pentagon spending bill, which was approved by an 87-to-10 vote in the Senate after having passed in the House of Representatives last week; President Trump is expected to sign the bill into law. The new law was drafted after an investigation by Reuters discovered that companies, including Hewlett Packard, SAP and McAfee had allowed Russian agencies to examine their software products as a precondition for sale in Russia. The legislation, included in the fiscal 2019 National Defense Authorization Act, was drafted by Senator Jeanne Shaheen (D-NH), who told Reuters that the new rules would help secure the government’s technology acquisition process.
- The CA/Browser Forum has changed its rules for how certificate authorities (CAs) are allowed to validate claims of domain ownership for issuance of trusted certificates as of Aug. 1, removing two methods of validation that have been exploited by malicious actors seeking legitimacy through domain certificates. The CA/B Forum Baseline Requirements no longer permit CAs to use the first validation method, which compared the domain certificate applicant’s contact information with domain contact information listed on domain name registrar databases. Until now, CAs could validate an applicant’s contact information with domain contact information returned by a “whois” query to the domain registrar. Also deprecated was the fifth validation method, which “allowed lawyers to write letters asserting ownership of domain names, a subject they are generally not qualified to evaluate,” wrote Timothy Hollebeek, industry and standards technical strategist at DigiCert, in a blog post announcing the move. “Neither of these methods were particularly secure, and we led the effort to get them removed, as part of an overall focus on improving validation standards.”