A group of developers, lawyers, and security researchers have joined forces to launch disclose.io, an effort to produce a standardised framework for security disclosures which provide protections for good-faith researchers and the companies whose products they analyse.
The field of security research can be a lucrative one: many companies offers ‘bug bounty’ programmes which invite security experts to analyse software and hardware for vulnerabilities and privately report them so they can be fixed ahead of public disclosure, with payouts ranging from a free T-shirt to hundreds of thousands of dollars. Where no formal programme exists, and in some cases even if a programme exists but the research is declared to be out-of-scope, there can also be the danger of being sued for their actions.
Disclose.io aims to fix that, building on Bugcrowd and CipherLaw’s Open Source Vulnerability Disclosure Framework (OSVDF), Amit Elazari’s Legal Bug Bounty programme, and a call from cloud storage giant Dropbox to better protect good-faith security researchers.
The project’s core terms, available on its GitHub repository, list a set of guidelines companies can adopt in order to both protect researchers and, following that protection, encourage them to communicate vulnerabilities without the fear of reprisal. Those adopting the framework receive the right to use the logo as a form of guarantee which, it is hoped, will attract security research talent.