Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security

4/10/2019
10:30 AM
Matt Honea
Matt Honea
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
100%
0%

Safe Harbor Programs: Ensuring the Bounty Isn't on White Hat Hackers' Heads

As crowdsourced security-testing surges in popularity, companies need to implement safe harbor provisions to protect good-faith hackers -- and themselves.

Bug bounty programs are surging in popularity, as more companies — both public and private — use freelance security researchers to spot vulnerabilities in their systems and help protect valuable customer data. According to the 2018 HackerOne report, new bug bounty programs have grown a staggering 54% in the last year alone, and valid reports hit an all-time high of 80%.

However, despite the growth of these programs, disclosure standards and practices vary widely from company to company. This severe lack of standardization exposes well-intentioned hackers to possible legal liability — and can leave companies open to costly avoidable risk, as the 2017 Equifax breach showed.

To ensure the disclosure industry continues to evolve and thrive, companies need to offer protection for good-faith hackers by standardizing their reporting and policies, using easy-to-understand language. By making the rules of the road clear to everyone, the industry can chart a better, more secure path forward.

Closing Reporting Gaps
Having companies pay hackers seems counter-intuitive, but the ecosystem is symbiotic — and, overall, it works. With the help of hackers, companies are able to subject their exposed systems to continuous testing from multiple angles at once, while rewarding freelancers who spot key vulnerabilities.

Ensuring the system moves toward closing reporting gaps requires companies to take a few key actions, including establishing a vulnerability disclosure program (VDP). A VDP provides a secure channel that hackers can use to report bugs quickly, along with an internal team of company experts to mitigate and triage problems.

As an extension of a VDP, safe harbor policies provide specific language and guidelines around bug bounty programs. Several large companies, such as Dropbox and General Motors, have these policies, but most companies don't. In fact, according to HackerOne, 93% of Forbes' list of Global 2000 companies don't have any way for researchers to report security issues. As a result, hackers can't be confident they're working directly with companies without fear of civil or criminal legal reprisal, leaving only hackers that are driven solely of good faith to report any vulnerabilities. 

While hackers may be vulnerable in the absence of safe harbor policies, today's booming bug bounty economy still offers plenty of opportunities. After all, time is money — and it's a seller's market. For companies without the proper protection, freelance security researchers lack incentive to report bugs when given the choice to work for companies that publicly offer bounties and protection. Faced with such ambiguity, some might fail to report vulnerabilities at all — or worse, could choose to post the information to the Dark Web, where there's a thriving market for data and remote access, or publicly expose the flaw to embarrass a company, allowing other hackers to exploit the information, which is what happened to Microsoft in 2017.

Balancing Risks and Rewards
For companies, safe harbor is a trade-off that allows hackers to work more openly within their systems in exchange for protections. Currently, safe harbor is in a "read between the lines" state. While many companies won't actually pursue legal action against hackers who report a bug in good-faith, other companies also don't want to give up their right to prosecute if things go sideways.

It's critical for organizations to formalize their safe harbor protections by writing clear policies that offer a broad range of protections for hackers. It's simply good business since the cost of a bug bounty is significantly less than what a data breach costs to remediate. The average bounty payout for a critical vulnerability is US $2,041, according to HackerOne. The average data breach cost, according to Ponemon Institute, is a hefty US $3.62 million.

Existing programs like Disclose.io are helping to standardize safe harbor programs by creating universal language within existing bug bounty programs, so that rules for hackers don't change from program to program. However, safe harbor provisions do come with risks, both for the company and the hacker, meaning that steps need to be taken in order for safe harbor to become more widely adopted.

Adding common and easily accepted legal language to manage disclosure programs is the easiest and best way companies can boost adoption. By using simple wording that's publicly displayed, companies can state that they will not pursue legal action against hackers within a defined security scope.

Well-known software companies like Dropbox and Mozilla — which have significant exposure, developed vulnerability programs, and high levels of responsiveness — are leading the way in safe harbor programs. And the disclosure industry as a whole will benefit.

Related Content:

 

 

 Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

Matthew Honea is the director of cyber at Guidewire, where he directs a team of experts to develop new analytical products and insurance solutions. View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/6/2020
Introducing 'Secure Access Service Edge'
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  7/3/2020
Russian Cyber Gang 'Cosmic Lynx' Focuses on Email Fraud
Kelly Sheridan, Staff Editor, Dark Reading,  7/7/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-5604
PUBLISHED: 2020-07-09
Android App 'Mercari' (Japan version) prior to version 3.52.0 allows arbitrary method execution of a Java object by a remoto attacker via a Man-In-The-Middle attack by using Java Reflection API of JavaScript code on WebView.
CVE-2020-5974
PUBLISHED: 2020-07-08
NVIDIA JetPack SDK, version 4.2 and 4.3, contains a vulnerability in its installation scripts in which permissions are incorrectly set on certain directories, which can lead to escalation of privileges.
CVE-2020-15072
PUBLISHED: 2020-07-08
An issue was discovered in phpList through 3.5.4. An error-based SQL Injection vulnerability exists via the Import Administrators section.
CVE-2020-15073
PUBLISHED: 2020-07-08
An issue was discovered in phpList through 3.5.4. An XSS vulnerability occurs within the Import Administrators section via upload of an edited text document. This also affects the Subscriber Lists section.
CVE-2020-2034
PUBLISHED: 2020-07-08
An OS Command Injection vulnerability in the PAN-OS GlobalProtect portal allows an unauthenticated network based attacker to execute arbitrary OS commands with root privileges. An attacker requires some knowledge of the firewall to exploit this issue. This issue can not be exploited if GlobalProtect...