New open source effort: Legal code to make reporting security bugs safer

Enlarge / The project: open source contracts to keep white-hat hackers and developers out of legal trouble. (credit:, a collaborative and open source effort to create an open source standard for bug bounty and vulnerability-disclosure programs that protects well-intentioned hackers.

The lack of consistency in companies’ bug-disclosure programs—and the absence of “safe harbor” language that protects well-intended hackers from legal action in many of them—can discourage anyone who discovers a security bug from reporting it. And vague language in a disclosure program can not only discourage cooperation but can also lead to public-relations disasters and a damaged reputation with the security community, as happened with drone maker DJI last November.

Dropbox moved to fix its own vulnerability disclosure terms and was motivated to change its own legal policies following a certain lawsuit against a reporter over a vulnerability disclosure. Companies that manage bug bounties for large organizations, including HackerOne and Bugcrowd, have made their own efforts to get customers to standardize security terms.

Read 5 remaining paragraphs | Comments