Bugcrowd Releases Open Source Responsible Disclosure Framework
Collaboration with CipherLaw Provides Legal Protection for Security Researchers
SAN FRANCISCO, July 24, 2014 /PRNewswire/ — Bugcrowd, the innovator in crowdsourced security testing, today publicly released a new guide for companies looking to set up their own responsible disclosure programs. Developed in collaboration with respected Washington, D.C.-area information security attorney Jim Denaro from CipherLaw, the new Creative Commons-licensed Open Source Responsible Disclosure Framework is designed to enable companies to set up a responsible disclosure program to more quickly and smoothly prepare their organization to work with the independent security researcher community, while reducing the legal risks to researchers and companies.
“Bugcrowd is all about connecting independent security researchers with companies big and small,” said Casey Ellis, CEO and co-founder of Bugcrowd. “Security researchers are constantly finding new vulnerabilities in software, websites and applications of all sorts. The key to collaborating with independent security researchers and white hat hackers is establishing clarity and trust; this framework is one more way of ensuring that collaboration happens.”
This new framework includes a responsible disclosure policy that provides additional legal assurances for independent security researchers who are looking for ways to responsibly disclose vulnerabilities in websites, applications or software. Policies such as these can help align the expectations of researchers and companies throughout the disclosure process. This policy is intended to be posted to a company’s website or added to the Terms of Service for specific application or software, and can be adopted by most organizations with only a few small modifications.
“Security vulnerabilities threaten many critical systems, such as medical devices, automobiles, and systems that store personal confidential information,” said Jim Denaro, founder of CipherLaw. “We need to ensure that independent researchers with the skills to find these vulnerabilities are not discouraged from reporting them because of the legal risks. This framework will help researchers to continue their important work.”
Together, the policy and associated best practices guide provides an overview of the basic processes needed for companies who are interested in establishing a responsible disclosure program, but do not yet have one in place. The framework is available today at https://github.com/bugcrowd/disclosure-policy
Bugcrowd, the innovator in crowdsourced security testing for the enterprise, was founded in 2012 by a team of security and software development experts who saw the opportunity to level the playing field in cybersecurity. Bugcrowd’s revolutionary approach to cybersecurity combines a proprietary vulnerability reporting platform with the largest crowd of security researchers on the planet. Cost-effective and far faster than standard security testing programs, Bugcrowd also provides a range of responsible disclosure and managed service options that allow companies to commission a customized security testing program that fits their specific requirements. Based in San Francisco, Bugcrowd is backed by Icon Ventures, Paladin Capital and Square Peg Ventures. To learn more about Bugcrowd, visit www.bugcrowd.com or check out the Bugcrowd blog.
Bugcrowd is a trademark of Bugcrowd, Inc.