Menu
New guide aims to remove the drama of reporting software flaws

New guide aims to remove the drama of reporting software flaws

Bugcrowd worked with a legal firm, CipherLaw, to develop the framework

Handling a software flaw can be messy, both for a security researcher who found it and for the company it affects. But a new set of guidelines aims to make that interaction less mysterious and confrontational.

Large companies such as Facebook, Google and Yahoo have well defined "responsible disclosure" policies that lay out what is expected of researchers if they find a vulnerability and often the terms under which a reward will be paid.

But many companies don't, which can lead to problems and confusion. Security researchers have occasionally been referred to law enforcement even when they have been up front about the issue with a company.

The guidelines were developed by Bugcrowd, which has a platform companies can use to have their applications analyzed by independent researchers in a safe way and in some cases, reward them. Bugcrowd worked on the framework with CipherLaw, a legal firm specializing in technology.

They've released a short and lucid document on Github describing how companies should approach setting up a responsible disclosure program as well a boilerplate disclosure policy that can be included on a company's website.

The framework "is designed to quickly and smoothly prepare your organization to work with the independent security researcher community while reducing the legal risks to researchers and companies," according to an introduction on Github.

Send news tips and comments to jeremy_kirk@idg.com. Follow me on Twitter: @jeremy_kirk


Follow Us

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags BugcrowdCipherLaw

Featured

Slideshows

EDGE 2018: Kiwis kick back with Super Rugby before NZ session

EDGE 2018: Kiwis kick back with Super Rugby before NZ session

New Zealanders kick-started EDGE 2018 with a bout of Super Rugby before a dedicated New Zealand session, in front of more than 50 partners, vendors and distributors on Hamilton Island.​

EDGE 2018: Kiwis kick back with Super Rugby before NZ session
EDGE 2018: Kiwis assess key customer priorities through NZ research

EDGE 2018: Kiwis assess key customer priorities through NZ research

EDGE 2018 kicked off with a dedicated New Zealand track, highlighting the key customer priorities across the local market, in association with Dell EMC. Delivered through EDGE Research - leveraging Kiwi data through Tech Research Asia - more than 50 partners, vendors and distributors combined during an interactive session to assess the changing spending patterns of the end-user and the subsequent impact to the channel.

EDGE 2018: Kiwis assess key customer priorities through NZ research
Show Comments