Bugcrowd is continuing its open-source approach to vulnerabilities with a guide for companies looking to set up their own responsible disclosure programs.
True to its name, Bugcrowd looks to crowdsource the uncovering of vulnerabilities in popular software and applications. Now, developed in collaboration with Washington, D.C.-area information security attorney Jim Denaro from CipherLaw, the new Creative Commons-licensed Open Source Responsible Disclosure Framework is designed to enable companies to set up their own responsible disclosure program to more quickly and smoothly prepare their organization to work with the independent security researcher community, while reducing the legal risks to researchers and companies.
The framework also includes a responsible disclosure policy that provides additional legal assurances for independent security researchers who are looking for ways to responsibly disclose vulnerabilities in websites, applications or software. Together, the policy and associated best practices guide are meant to provide an overview of the basic processes needed for companies who are interested in establishing a responsible disclosure program, but do not yet have one in place.
"Bugcrowd is all about connecting independent security researchers with companies big and small," said Casey Ellis, CEO and co-founder of Bugcrowd, in a statement. "Security researchers are constantly finding new vulnerabilities in software, websites and applications of all sorts. The key to collaborating with independent security researchers and white hat hackers is establishing clarity and trust; this framework is one more way of ensuring that collaboration happens."
Policies such as these can help align the expectations of researchers and companies throughout the disclosure process. This policy is intended to be posted to a company's website or added to the Terms of Service for specific application or software, and can be adopted by most organizations with only a few small modifications.
"Security vulnerabilities threaten many critical systems, such as medical devices, automobiles, and systems that store personal confidential information," said Jim Denaro, founder of CipherLaw. "We need to ensure that independent researchers with the skills to find these vulnerabilities are not discouraged from reporting them because of the legal risks. This framework will help researchers to continue their important work."
Bug-finding is a well-worn track: Google, Facebook, Microsoft and PayPal all have high-profile bug bounty programs that make headlines for shelling out millions of dollars in rewards to those uncovering previously unknown vulnerabilities. The pay-to-hack community is a vibrant one, with events like Pwn2Own, the HP Zero-Day Initiative and other hacking contests attracting healthy competition and big-dollar prizes.
Bugcrowd itself takes on a middle-man role, contracting with clients interested in finding vulnerabilities and then deploying its army of “Bugcrowders” (consisting of hackers, amateurs, and security professionals from around the world) to look for holes. It’s an approach that has attracted some interest: last fall, the company announced a $1.6 million capital round from ICON Partners, Paladin Capital and Square Peg Capital.