The problems that come from doing security research on modern Web applications and other software aren’t just challenging for researchers, but also for the companies on the receiving end of their advisories. Companies unaccustomed to dealing with researchers can find themselves in a difficult position, trying to figure out the clearest path forward. To help software vendors and Web companies deal with this problem, the team at Bugcrowd today is releasing its Open Source Responsible Disclosure Framework, a comprehensive policy and guide. The framework is meant to aid companies in setting up a responsible disclosure program for external security researchers that addresses many of the legal issues that face independent security researchers who discover flaws in a given product and want to disclose them to the affected vendors. The germ of the idea at Bugcrowd came from the company’s interactions with the vendors it works with on behalf of security researchers. The company has a stable of independent security researchers who do security testing of Bugcrowd’s customers’ software and receive bounties in return. Any vulnerabilities found are reported through Bugcrowd. The company’s CEO, Casey Ellis, said that Bugcrowd wanted to help companies of any size offer incentives for researchers who might want to take a look at their software.
“Our belief is that companies, regardless of size, should be incentivizing or providing a framework for security researchers,” he said in an interview. “Some have pages on their sites spelling out the terms for security researchers, but there’s no gold standard. The idea behind what we’ve done here is to build something like that. We wanted to create a document that’s as simple as it could possibly be. A lot of people who will want to engage with this aren’t lawyers or even have English as a first language.” In creating the framework, which is available on GitHub, Bugcrowd worked with Jim Denaro, the founder of CipherLaw, a law firm that specializes in information security work. “Security vulnerabilities threaten many critical systems, such as medical devices, automobiles, and systems that store personal confidential information,” said Jim Denaro, founder of CipherLaw. “We need to ensure that independent researchers with the skills to find these vulnerabilities are not discouraged from reporting them because of the legal risks. This framework will help researchers to continue their important work.” Disputes and acrimony between security researchers and software companies have been a staple of the vulnerability discovery process for decades now. That’s only become more pronounced in recent years because of the advent of Web applications that can be tested from anywhere, often without a license. Ellis emphasized that Bugcrowd wanted to help defuse some of that drama. “The key thing was how to balance the protections for researchers and companies. The nature of what’s going on here can be quite confrontational,” Ellis said. “People can take security research as being helpful or get quite anxious about it. The more companies that adopt this, the safer it will be for the Internet as a whole.”