Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security

4/10/2019
10:30 AM
Matt Honea
Matt Honea
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
100%
0%

Safe Harbor Programs: Ensuring the Bounty Isn't on White Hat Hackers' Heads

As crowdsourced security-testing surges in popularity, companies need to implement safe harbor provisions to protect good-faith hackers -- and themselves.

Bug bounty programs are surging in popularity, as more companies — both public and private — use freelance security researchers to spot vulnerabilities in their systems and help protect valuable customer data. According to the 2018 HackerOne report, new bug bounty programs have grown a staggering 54% in the last year alone, and valid reports hit an all-time high of 80%.

However, despite the growth of these programs, disclosure standards and practices vary widely from company to company. This severe lack of standardization exposes well-intentioned hackers to possible legal liability — and can leave companies open to costly avoidable risk, as the 2017 Equifax breach showed.

To ensure the disclosure industry continues to evolve and thrive, companies need to offer protection for good-faith hackers by standardizing their reporting and policies, using easy-to-understand language. By making the rules of the road clear to everyone, the industry can chart a better, more secure path forward.

Closing Reporting Gaps
Having companies pay hackers seems counter-intuitive, but the ecosystem is symbiotic — and, overall, it works. With the help of hackers, companies are able to subject their exposed systems to continuous testing from multiple angles at once, while rewarding freelancers who spot key vulnerabilities.

Ensuring the system moves toward closing reporting gaps requires companies to take a few key actions, including establishing a vulnerability disclosure program (VDP). A VDP provides a secure channel that hackers can use to report bugs quickly, along with an internal team of company experts to mitigate and triage problems.

As an extension of a VDP, safe harbor policies provide specific language and guidelines around bug bounty programs. Several large companies, such as Dropbox and General Motors, have these policies, but most companies don't. In fact, according to HackerOne, 93% of Forbes' list of Global 2000 companies don't have any way for researchers to report security issues. As a result, hackers can't be confident they're working directly with companies without fear of civil or criminal legal reprisal, leaving only hackers that are driven solely of good faith to report any vulnerabilities. 

While hackers may be vulnerable in the absence of safe harbor policies, today's booming bug bounty economy still offers plenty of opportunities. After all, time is money — and it's a seller's market. For companies without the proper protection, freelance security researchers lack incentive to report bugs when given the choice to work for companies that publicly offer bounties and protection. Faced with such ambiguity, some might fail to report vulnerabilities at all — or worse, could choose to post the information to the Dark Web, where there's a thriving market for data and remote access, or publicly expose the flaw to embarrass a company, allowing other hackers to exploit the information, which is what happened to Microsoft in 2017.

Balancing Risks and Rewards
For companies, safe harbor is a trade-off that allows hackers to work more openly within their systems in exchange for protections. Currently, safe harbor is in a "read between the lines" state. While many companies won't actually pursue legal action against hackers who report a bug in good-faith, other companies also don't want to give up their right to prosecute if things go sideways.

It's critical for organizations to formalize their safe harbor protections by writing clear policies that offer a broad range of protections for hackers. It's simply good business since the cost of a bug bounty is significantly less than what a data breach costs to remediate. The average bounty payout for a critical vulnerability is US $2,041, according to HackerOne. The average data breach cost, according to Ponemon Institute, is a hefty US $3.62 million.

Existing programs like Disclose.io are helping to standardize safe harbor programs by creating universal language within existing bug bounty programs, so that rules for hackers don't change from program to program. However, safe harbor provisions do come with risks, both for the company and the hacker, meaning that steps need to be taken in order for safe harbor to become more widely adopted.

Adding common and easily accepted legal language to manage disclosure programs is the easiest and best way companies can boost adoption. By using simple wording that's publicly displayed, companies can state that they will not pursue legal action against hackers within a defined security scope.

Well-known software companies like Dropbox and Mozilla — which have significant exposure, developed vulnerability programs, and high levels of responsiveness — are leading the way in safe harbor programs. And the disclosure industry as a whole will benefit.

Related Content:

 

 

 Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

Matthew Honea is the director of cyber at Guidewire, where he directs a team of experts to develop new analytical products and insurance solutions. View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
The Problem with Proprietary Testing: NSS Labs vs. CrowdStrike
Brian Monkman, Executive Director at NetSecOPEN,  7/19/2019
RDP Bug Takes New Approach to Host Compromise
Kelly Sheridan, Staff Editor, Dark Reading,  7/18/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-14248
PUBLISHED: 2019-07-24
In libnasm.a in Netwide Assembler (NASM) 2.14.xx, asm/pragma.c allows a NULL pointer dereference in process_pragma, search_pragma_list, and nasm_set_limit when "%pragma limit" is mishandled.
CVE-2019-14249
PUBLISHED: 2019-07-24
dwarf_elf_load_headers.c in libdwarf before 2019-07-05 allows attackers to cause a denial of service (division by zero) via an ELF file with a zero-size section group (SHT_GROUP), as demonstrated by dwarfdump.
CVE-2019-14250
PUBLISHED: 2019-07-24
An issue was discovered in GNU libiberty, as distributed in GNU Binutils 2.32. simple_object_elf_match in simple-object-elf.c does not check for a zero shstrndx value, leading to an integer overflow and resultant heap-based buffer overflow.
CVE-2019-14247
PUBLISHED: 2019-07-24
The scan() function in mad.c in mpg321 0.3.2 allows remote attackers to trigger an out-of-bounds write via a zero bitrate in an MP3 file.
CVE-2019-2873
PUBLISHED: 2019-07-23
Vulnerability in the Oracle VM VirtualBox component of Oracle Virtualization (subcomponent: Core). Supported versions that are affected are Prior to 5.2.32 and prior to 6.0.10. Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where Oracle VM VirtualBox...