Ride the Lightning

Legal Protection for Ethical Hackers

August 6, 2018

The Washington Post (sub. req.) reported on August 3^rd about a new project called Disclose.io which is dedicated to providing legal protection to ethical hackers. The site itself says disclose.io is a collaborative and vendor-agnostic project to standardize best practices around safe harbor for good-faith security research.

The project originated with the cybersecurity firm Bugcrowd and a University of California researcher. It aims to protect well-intentioned hackers from legal action when they reveal security vulnerabilities in an organization's networks or software.

The project offers companies, academic institutions or even government agencies a standard legal agreement they can post that fundamentally says that it's okay to hack us if you do it in good faith. It tells ethical hackers that they won't get sued or face criminal charges if they find a flaw on an organization's systems and report it responsibly.

Laws such as the Computer Fraud and Abuse Act and the Digital Millennium Copyright Act don't contain protections for researchers who disclose bugs, creating a legal gray area discouraging ethical hacking.

In recent years, companies have sued or threatened legal action against researchers who have uncovered serious vulnerabilities — sometimes to prevent an embarrassing flaw from being disclosed publicly. In one example last year, the FBI investigated security researchers in Georgia who discovered that millions of voter registration records were publicly accessible on the state's election website. And boy oh boy, was that something that needed to be disclosed!

Understandably, researchers are sometimes reluctant to report potentially serious security flaws because they fear the repercussions.

Disclose.io offers a template with boilerplate language that spells out in plain terms what security researchers can and can't do if they decide to probe for bugs, and offers them legal safe harbor if they play by the rules. The template is open sourced – anyone is free to use it or modify it.

With good cause, the private sector is leading on this issue and not waiting for the government to take action.

Other companies have rolled out programs like the one Disclose.io proposes. Dropbox, for example, revised its disclosure terms earlier this year to better protect white hat hackers after a security firm sued a reporter for writing about an apparent bug in its software. "Anything that stifles open security research is problematic," Dropbox's head of security wrote in a blog post, "because many of the advances in security that we all enjoy come from the wonderful combined efforts of the security research community."

Private measures like these are sorely needed to protect us all. If the government can't or won't act responsibly to protect security researchers, I applaud this private sector effort.

E-mail: Phone: 703-359-0700
Digital Forensics/Information Security/Information Technology
https://www.senseient.com
https://twitter.com/sharonnelsonesq
https://www.linkedin.com/in/sharondnelson
https://amazon.com/author/sharonnelson