New gold standard to protect good faith hackers

Bug bounty programme operator and ethical hacking platform HackerOne has launched a Gold Standard Safe Harbour (GSSH) statement for its customers to help them demonstrate that they can and will protect ethical hackers from liability when hacking in good faith.

Any vulnerability disclosure policy or operational bug bounty programme should already include a safe harbour statement to outline the legal protections ethical hackers can expect, but HackerOne believes that by creating a standardised boilerplate, customers can swiftly adopt a short, broad and easily understood standard, and hackers no longer have to parse the different terms and conditions of multiple different statements.

“With attack surfaces growing, healthy hacker engagement has never been more essential for reducing risk,” said Chris Evans, CISO and chief hacking officer at HackerOne.

“We at HackerOne want to establish a uniform standard of excellence our customers can adopt that helps hackers feel safe and valued on customer programmes. When hackers are happy and engaged, organisations achieve better attack resistance.”

The GSSH is being road-tested by three HackerOne customers, travel agency Kayak, GitLab, and Yahoo, to “demonstrate their commitment to protecting good faith security research” and boosting hacker engagement with their respective bug bounty schemes.

Kayak chief scientist Matthias Keller said: “The Gold Standard Safe Harbor statement helps us more clearly differentiate ourselves as a leading bug bounty programme.

This aligns with the other best practices we follow, like paying on triage and paying for value, to guarantee we get the best hackers engaging with us to protect the organisation.”

Dominic Couture, staff security engineer for application security at GitLab, added: “GitLab is pleased to adopt the Gold Standard Safe Harbour statement. We hope this will reduce the informational burden to hackers and make their bug bounty experience more seamless, supporting our mission that everyone can contribute.”

HackerOne’s next, as yet unreleased, Hacker Report found that over 50% of ethical hackers have discovered a vulnerability that they have not reported, for reasons including the organisation having shown itself to be hard to work with, or having been threatened with legal repercussions.

The threat of legal action, or even prison time, has hung over ethical hackers for as long as the concept of penetration testing has existed, and with the growing scope and scale of the cyber threat landscape in the past few years, more and more hackers want to see action on the issue from a regulatory perspective.

In the UK, there is considerable focus on the need to reform the 32-year-old Computer Misuse Act (CMA), which sets out the offence of unauthorised access to a computer, effectively criminalising many standard ethical hacking practices.

The CyberUp coalition, a group of businesses, trade associations, non-governmental organisations (NGOs) and lawyers drawn from across the cyber security community, has been campaigning at Westminster on this issue. It said that the CMA prevents cyber security professionals and hackers from being able to defend UK organisations from cyber attacks without risking prosecution for unauthorised access to a computer.

The government had begun to talk about the possibility of reform in 2021, but this process is currently somewhat stalled.

Absent legal reform, HackerOne said that adopting the GSSH would help organisations demonstrate that they endorse the latest legal and regulatory developments governing security research, and authorise good faith research. It hopes the GSSH may ultimately even help clarify a distinction in law between hacking for research or penetration testing, and malicious cyber attacks or reportable data breaches.

Organisations adopting the GSSH will replace are expected to replace their existing safe harbour statement with its text on their programme page, and will be eligible to display a digital badge alongside this. Hackers, meanwhile, will be able to select for GSSH participation when searching for bug bounty programmes on HackerOne’s platform.