Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security

4/10/2019
10:30 AM
Matt Honea
Matt Honea
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
100%
0%

Safe Harbor Programs: Ensuring the Bounty Isn't on White Hat Hackers' Heads

As crowdsourced security-testing surges in popularity, companies need to implement safe harbor provisions to protect good-faith hackers -- and themselves.

Bug bounty programs are surging in popularity, as more companies — both public and private — use freelance security researchers to spot vulnerabilities in their systems and help protect valuable customer data. According to the 2018 HackerOne report, new bug bounty programs have grown a staggering 54% in the last year alone, and valid reports hit an all-time high of 80%.

However, despite the growth of these programs, disclosure standards and practices vary widely from company to company. This severe lack of standardization exposes well-intentioned hackers to possible legal liability — and can leave companies open to costly avoidable risk, as the 2017 Equifax breach showed.

To ensure the disclosure industry continues to evolve and thrive, companies need to offer protection for good-faith hackers by standardizing their reporting and policies, using easy-to-understand language. By making the rules of the road clear to everyone, the industry can chart a better, more secure path forward.

Closing Reporting Gaps
Having companies pay hackers seems counter-intuitive, but the ecosystem is symbiotic — and, overall, it works. With the help of hackers, companies are able to subject their exposed systems to continuous testing from multiple angles at once, while rewarding freelancers who spot key vulnerabilities.

Ensuring the system moves toward closing reporting gaps requires companies to take a few key actions, including establishing a vulnerability disclosure program (VDP). A VDP provides a secure channel that hackers can use to report bugs quickly, along with an internal team of company experts to mitigate and triage problems.

As an extension of a VDP, safe harbor policies provide specific language and guidelines around bug bounty programs. Several large companies, such as Dropbox and General Motors, have these policies, but most companies don't. In fact, according to HackerOne, 93% of Forbes' list of Global 2000 companies don't have any way for researchers to report security issues. As a result, hackers can't be confident they're working directly with companies without fear of civil or criminal legal reprisal, leaving only hackers that are driven solely of good faith to report any vulnerabilities. 

While hackers may be vulnerable in the absence of safe harbor policies, today's booming bug bounty economy still offers plenty of opportunities. After all, time is money — and it's a seller's market. For companies without the proper protection, freelance security researchers lack incentive to report bugs when given the choice to work for companies that publicly offer bounties and protection. Faced with such ambiguity, some might fail to report vulnerabilities at all — or worse, could choose to post the information to the Dark Web, where there's a thriving market for data and remote access, or publicly expose the flaw to embarrass a company, allowing other hackers to exploit the information, which is what happened to Microsoft in 2017.

Balancing Risks and Rewards
For companies, safe harbor is a trade-off that allows hackers to work more openly within their systems in exchange for protections. Currently, safe harbor is in a "read between the lines" state. While many companies won't actually pursue legal action against hackers who report a bug in good-faith, other companies also don't want to give up their right to prosecute if things go sideways.

It's critical for organizations to formalize their safe harbor protections by writing clear policies that offer a broad range of protections for hackers. It's simply good business since the cost of a bug bounty is significantly less than what a data breach costs to remediate. The average bounty payout for a critical vulnerability is US $2,041, according to HackerOne. The average data breach cost, according to Ponemon Institute, is a hefty US $3.62 million.

Existing programs like Disclose.io are helping to standardize safe harbor programs by creating universal language within existing bug bounty programs, so that rules for hackers don't change from program to program. However, safe harbor provisions do come with risks, both for the company and the hacker, meaning that steps need to be taken in order for safe harbor to become more widely adopted.

Adding common and easily accepted legal language to manage disclosure programs is the easiest and best way companies can boost adoption. By using simple wording that's publicly displayed, companies can state that they will not pursue legal action against hackers within a defined security scope.

Well-known software companies like Dropbox and Mozilla — which have significant exposure, developed vulnerability programs, and high levels of responsiveness — are leading the way in safe harbor programs. And the disclosure industry as a whole will benefit.

Related Content:

 

 

 Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

Matthew Honea is the director of cyber at Guidewire, where he directs a team of experts to develop new analytical products and insurance solutions. View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
97% of Americans Can't Ace a Basic Security Test
Steve Zurier, Contributing Writer,  5/20/2019
TeamViewer Admits Breach from 2016
Dark Reading Staff 5/20/2019
How a Manufacturing Firm Recovered from a Devastating Ransomware Attack
Kelly Jackson Higgins, Executive Editor at Dark Reading,  5/20/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-7201
PUBLISHED: 2019-05-22
CSV Injection was discovered in ProjectSend before r1053, affecting victims who import the data into Microsoft Excel.
CVE-2018-7803
PUBLISHED: 2019-05-22
A CWE-754 Improper Check for Unusual or Exceptional Conditions vulnerability exists in Triconex TriStation Emulator V1.2.0, which could cause the emulator to crash when sending a specially crafted packet. The emulator is used infrequently for application logic testing. It is susceptible to an attack...
CVE-2018-7844
PUBLISHED: 2019-05-22
A CWE-200: Information Exposure vulnerability exists in all versions of the Modicon M580, Modicon M340, Modicon Quantum, and Modicon Premium which could cause the disclosure of SNMP information when reading memory blocks from the controller over Modbus.
CVE-2018-7853
PUBLISHED: 2019-05-22
A CWE-248: Uncaught Exception vulnerability exists in all versions of the Modicon M580, Modicon M340, Modicon Quantum, and Modicon Premium which could cause denial of service when reading invalid physical memory blocks in the controller over Modbus
CVE-2018-7854
PUBLISHED: 2019-05-22
A CWE-248 Uncaught Exception vulnerability exists in all versions of the Modicon M580, Modicon M340, Modicon Quantum, and Modicon Premium which could cause a denial of Service when sending invalid debug parameters to the controller over Modbus.