Researchers Thankful for New Paypal Policy
Immunity from legal action for researchers who follow site's responsible disclosure procedures
It may be the protection and peace of mind that Web application security researchers have been waiting for: PayPal's new vulnerability disclosure policy states that the company won't take any legal action against a researcher who properly follows its procedure for reporting bugs in its software. (See Laws Threaten Security Researchers).
"I would certainly hope it's the start of a trend," says Jeremiah Grossman, CTO and founder of WhiteHat Security, who blogged on this development late yesterday. Grossman says there have been other signs of hope lately as well for freeing Web app security researchers to do their work without the worry of legal implications: a Microsoft panelist last week at the OWASP and Web Application Security AppSec 2007 Conference said the company wouldn't take action against anyone who finds bugs in its Websites. "But Microsoft has not gone so far as to document that publicly like PayPal," Grossman says.
Web application security researchers don't have the freedoms of other security researchers, who for the most part work unrestricted in their efforts to search for bugs in operating systems, device drivers, or other apps via their own machines. Computer security laws make looking for vulnerabilities on live Web servers dangerous legal territory, and the laws aimed at protecting companies from attackers have also inadvertently hurt researchers in this space.
Grossman says PayPal's policy may well be the first to guarantee Web researchers protection when they responsibly report a vulnerability to the company. PayPal's policy says, in part: "To encourage responsible disclosure, we commit that -- if we conclude that a disclosure respects and meets all the guidelines outlined below -- we will not bring a private action or refer a matter for public inquiry."
— Kelly Jackson Higgins, Senior Editor, Dark Reading
Microsoft Corp. (Nasdaq: MSFT)
About the Author(s)
You May Also Like
Beyond Spam Filters and Firewalls: Preventing Business Email Compromises in the Modern Enterprise
April 30, 2024Key Findings from the State of AppSec Report 2024
May 7, 2024Is AI Identifying Threats to Your Network?
May 14, 2024Where and Why Threat Intelligence Makes Sense for Your Enterprise Security Strategy
May 15, 2024Safeguarding Political Campaigns: Defending Against Mass Phishing Attacks
May 16, 2024
Black Hat USA - August 3-8 - Learn More
August 3, 2024Cybersecurity's Hottest New Technologies: What You Need To Know
March 21, 2024