In order to help its clients show that they can and will shield ethical hackers from liability while hacking in good faith, bug bounty programme operator and ethical hacking platform HackerOne has released a Gold Standard Safe Harbour (GSSH) declaration.
Any vulnerability disclosure policy or operational bug bounty programme should already include a safe harbour statement to describe the legal protections ethical hackers can anticipate. However, HackerOne thinks that by developing a standardised boilerplate, customers can quickly adopt a brief, general standard that is simple to understand, and hackers no longer have to parse the various terms and conditions of multiple different statements.
“With attack surfaces growing, healthy hacker engagement has never been more essential for reducing risk,” said Chris Evans, CISO and chief hacking officer at HackerOne.
“We at HackerOne want to establish a uniform standard of excellence our customers can adopt that helps hackers feel safe and valued on customer programmes. When hackers are happy and engaged, organisations achieve better attack resistance.”
Three clients of HackerOne, the online travel firm Kayak, GitLab, and Yahoo, are road-testing the GSSH in order to increase hacker participation in each of their separate bug bounty programmes.
The GSSH is being road-tested by three HackerOne customers, travel agency Kayak, GitLab, and Yahoo, to “demonstrate their commitment to protecting good faith security research” and boosting hacker engagement with their respective bug bounty schemes.
Kayak chief scientist Matthias Keller said: “The Gold Standard Safe Harbor statement helps us more clearly differentiate ourselves as a leading bug bounty programme.
This aligns with the other best practices we follow, like paying on triage and paying for value, to guarantee we get the best hackers engaging with us to protect the organisation.”
Dominic Couture, staff security engineer for application security at GitLab, added: “GitLab is pleased to adopt the Gold Standard Safe Harbour statement. We hope this will reduce the informational burden to hackers and make their bug bounty experience more seamless, supporting our mission that everyone can contribute.”
According to HackerOne’s next, as of yet unpublished Hacker Report, more than 50% of ethical hackers have uncovered a vulnerability but have not yet reported it, often because the organisation has proven to be difficult to work with or because they have been threatened with legal action.
Since the invention of penetration testing, ethical hackers have faced the possibility of legal action or even prison time. In recent years, however, as the scope and size of the cyber threat landscape have increased, more and more hackers have expressed a desire to see regulatory action taken to address this problem.
In the UK, there is great focus on the need to update the 32-year-old Computer Misuse Act (CMA), which spells out the charge of unauthorised access to a computer, effectively criminalising many conventional ethical hacking methods.
The CyberUp coalition has been advocating at Westminster on this subject on behalf of corporations, trade groups, non-governmental organisations (NGOs), and attorneys from the entire cyber security industry. It said that the CMA restricts hackers and cyber security experts from defending UK organisations from cyberattacks without running the risk of being charged with unauthorised access to a computer.
The government had started to discuss change in 2021, but things have been a little sluggish lately.
Adopting the GSSH, according to HackerOne, would enable organisations show that they support the most recent legal and regulatory changes affecting security research and authorise good faith research in the absence of legal reform. It expects that the GSSH will eventually contribute to the legal clarification of the difference between hacking for study or penetration testing and malicious cyberattacks or data breaches that require reporting.
Organisations adopting the GSSH will replace are expected to replace their existing safe harbour statement with its text on their programme page, and will be eligible to display a digital badge alongside this. Hackers, meanwhile, will be able to select for GSSH participation when searching for bug bounty programmes on HackerOne’s platform.
Suggest an edit to this article
Stay informed of the latest Cybersecurity trends, threats and developments. Sign up for our Weekly Cybersecurity Newsletter Today.
Remember, CyberSecurity Starts With You!
- Globally, 30,000 websites are hacked daily.
- 64% of companies worldwide have experienced at least one form of a cyber attack.
- There were 20M breached records in March 2021.
- In 2020, ransomware cases grew by 150%.
- Email is responsible for around 94% of all malware.
- Every 39 seconds, there is a new attack somewhere on the web.
- An average of around 24,000 malicious mobile apps are blocked daily on the internet.