Submitted via IRC for BoyceMagooglyMonkey
The Disclose.io framework seeks to standardize "safe harbor" language for security researchers.
[...] Not a week goes by without another major business or Internet service announcing a data breach. And while many companies have begun to adopt bug bounty programs to encourage the reporting of vulnerabilities by outside security researchers, they've done so largely inconsistently. That's the reason for Disclose.io, a collaborative and open source effort to create an open source standard for bug bounty and vulnerability-disclosure programs that protects well-intentioned hackers.
The lack of consistency in companies' bug-disclosure programs—and the absence of "safe harbor" language that protects well-intended hackers from legal action in many of them—can discourage anyone who discovers a security bug from reporting it. And vague language in a disclosure program can not only discourage cooperation but can also lead to public-relations disasters and a damaged reputation with the security community, as happened with drone maker DJI last November.
[...] But these efforts haven't been translating into a wider adoption of those best practices—which is why Disclose.io was formed. The project has its roots in two separate-but-similar efforts being rolled into Disclose.io. The first is #LegalBugBounties, which is an effort started by Amit Elazari, a doctoral candidate at the University of California at Berkeley School of Law and a grantee of the university's Center for Long-Term Cybersecurity. The second is the Open Source Vulnerability Disclosure Framework, an effort launched in 2016 by Bugcrowd and the law firm CipherLaw.
(Score: 1, Funny) by Anonymous Coward on Tuesday August 07 2018, @12:48PM
Obviously no one posted here because they instead reported this story at disclosure.io