Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security

4/10/2019
10:30 AM
Matt Honea
Matt Honea
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
100%
0%

Safe Harbor Programs: Ensuring the Bounty Isn't on White Hat Hackers' Heads

As crowdsourced security-testing surges in popularity, companies need to implement safe harbor provisions to protect good-faith hackers -- and themselves.

Bug bounty programs are surging in popularity, as more companies — both public and private — use freelance security researchers to spot vulnerabilities in their systems and help protect valuable customer data. According to the 2018 HackerOne report, new bug bounty programs have grown a staggering 54% in the last year alone, and valid reports hit an all-time high of 80%.

However, despite the growth of these programs, disclosure standards and practices vary widely from company to company. This severe lack of standardization exposes well-intentioned hackers to possible legal liability — and can leave companies open to costly avoidable risk, as the 2017 Equifax breach showed.

To ensure the disclosure industry continues to evolve and thrive, companies need to offer protection for good-faith hackers by standardizing their reporting and policies, using easy-to-understand language. By making the rules of the road clear to everyone, the industry can chart a better, more secure path forward.

Closing Reporting Gaps
Having companies pay hackers seems counter-intuitive, but the ecosystem is symbiotic — and, overall, it works. With the help of hackers, companies are able to subject their exposed systems to continuous testing from multiple angles at once, while rewarding freelancers who spot key vulnerabilities.

Ensuring the system moves toward closing reporting gaps requires companies to take a few key actions, including establishing a vulnerability disclosure program (VDP). A VDP provides a secure channel that hackers can use to report bugs quickly, along with an internal team of company experts to mitigate and triage problems.

As an extension of a VDP, safe harbor policies provide specific language and guidelines around bug bounty programs. Several large companies, such as Dropbox and General Motors, have these policies, but most companies don't. In fact, according to HackerOne, 93% of Forbes' list of Global 2000 companies don't have any way for researchers to report security issues. As a result, hackers can't be confident they're working directly with companies without fear of civil or criminal legal reprisal, leaving only hackers that are driven solely of good faith to report any vulnerabilities. 

While hackers may be vulnerable in the absence of safe harbor policies, today's booming bug bounty economy still offers plenty of opportunities. After all, time is money — and it's a seller's market. For companies without the proper protection, freelance security researchers lack incentive to report bugs when given the choice to work for companies that publicly offer bounties and protection. Faced with such ambiguity, some might fail to report vulnerabilities at all — or worse, could choose to post the information to the Dark Web, where there's a thriving market for data and remote access, or publicly expose the flaw to embarrass a company, allowing other hackers to exploit the information, which is what happened to Microsoft in 2017.

Balancing Risks and Rewards
For companies, safe harbor is a trade-off that allows hackers to work more openly within their systems in exchange for protections. Currently, safe harbor is in a "read between the lines" state. While many companies won't actually pursue legal action against hackers who report a bug in good-faith, other companies also don't want to give up their right to prosecute if things go sideways.

It's critical for organizations to formalize their safe harbor protections by writing clear policies that offer a broad range of protections for hackers. It's simply good business since the cost of a bug bounty is significantly less than what a data breach costs to remediate. The average bounty payout for a critical vulnerability is US $2,041, according to HackerOne. The average data breach cost, according to Ponemon Institute, is a hefty US $3.62 million.

Existing programs like Disclose.io are helping to standardize safe harbor programs by creating universal language within existing bug bounty programs, so that rules for hackers don't change from program to program. However, safe harbor provisions do come with risks, both for the company and the hacker, meaning that steps need to be taken in order for safe harbor to become more widely adopted.

Adding common and easily accepted legal language to manage disclosure programs is the easiest and best way companies can boost adoption. By using simple wording that's publicly displayed, companies can state that they will not pursue legal action against hackers within a defined security scope.

Well-known software companies like Dropbox and Mozilla — which have significant exposure, developed vulnerability programs, and high levels of responsiveness — are leading the way in safe harbor programs. And the disclosure industry as a whole will benefit.

Related Content:

 

 

 Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

Matthew Honea is the director of cyber at Guidewire, where he directs a team of experts to develop new analytical products and insurance solutions. View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
US Turning Up the Heat on North Korea's Cyber Threat Operations
Jai Vijayan, Contributing Writer,  9/16/2019
MITRE Releases 2019 List of Top 25 Software Weaknesses
Kelly Sheridan, Staff Editor, Dark Reading,  9/17/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: "He's too shy to invite me out face to face!"
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-16680
PUBLISHED: 2019-09-21
An issue was discovered in GNOME file-roller before 3.29.91. It allows a single ./../ path traversal via a filename contained in a TAR archive, possibly overwriting a file during extraction.
CVE-2019-16681
PUBLISHED: 2019-09-21
The Traveloka application 3.14.0 for Android exports com.traveloka.android.activity.common.WebViewActivity, leading to file disclosure and XSS.
CVE-2019-16677
PUBLISHED: 2019-09-21
An issue was discovered in idreamsoft iCMS V7.0. admincp.php?app=members&do=del allows CSRF.
CVE-2019-16678
PUBLISHED: 2019-09-21
admin/urlrule/add.html in YzmCMS 5.3 allows CSRF with a resultant denial of service by adding a superseding route.
CVE-2019-16679
PUBLISHED: 2019-09-21
Gila CMS before 1.11.1 allows admin/fm/?f=../ directory traversal, leading to Local File Inclusion.