An increasing number of enterprises take advantage of bug bounty programs to identify vulnerabilities and structural weaknesses within software. But outside of these formal programs, informing vendors about security issues can be a legal minefield.
Some firms welcome the help of the security community, and seek to reward it with bounties, swag, and offers of employment.
Others don’t respond well, and respond with legal threats — or worse, they call the cops.
A great example of the latter is the Budapest Transport Authority (BKK in Hungarian), which recently called the cops on an 18-year-old security researcher after he found a way to adjust the price of travel tickets simply by using Chrome’s DevTools.
Like I said, a minefield.
One firm trying to make it easier for vendors to work with the security community is Bugcrowd. Today, the firm launched an open-source project called Disclose.io that aims to standardize the relationship between vendors and researchers.
Disclose.io is essentially an open-source set of rules that vendors can adopt. They promise to work with researchers in a timely manner, and say that they won’t take legal action against them when they act in good faith.
Researchers, on the other hand, promise to abide by a set of laws relating to scope, disclosure, and ensuring that they only access the minimum amount of data required to create a proof-of-concept.
What makes Disclose.io so useful is that it the rules are plainly written, and can be easily read and comprehended by someone without a legal background, or who doesn’t speak English as a first language.
Building a bug bounty program has never been easier, thanks to tools like HackerOne and Bugcrowd, which handle everything from disclosure to bounties. What makes Disclose.io so handy is that it allows vendors to set up rules of engagement, merely by copying-and-pasting a bit of text from a GitHub repository.
It’s so simple, but I imagine that one simple thing has deterred hundreds of companies from launching their own bug bounty programs. And let’s face it, bug bounty programs are good for users.
By transforming security testing from yearly events performed by expensive penetration testing companies, to something that happens year-wide with the assistance of the security community, we end up with better software.