New Open Source Effort: Legal Code to Make Reporting Security bugs Safer


The framework seeks to standardize “safe harbor” language for security researchers.

Not a week goes by without another major business or Internet service announcing a data breach. And while many companies have begun to adopt bug bounty programs to encourage the reporting of vulnerabilities by outside security researchers, they’ve done so largely inconsistently. That’s the reason for, a collaborative and open source effort to create an open source standard for bug bounty and vulnerability-disclosure programs that protects well-intentioned hackers.

…Companies that manage bug bounties for large organizations, including HackerOne and Bugcrowd, have made their own efforts to get customers to standardize security terms. But these efforts haven’t been translating into a wider adoption of those best practices—which is why was formed. The project has its roots in two separate-but-similar efforts being rolled into The first is #LegalBugBounties, which is an effort started by Amit Elazari, a doctoral candidate at the University of California at Berkeley School of Law and a grantee of the university’s Center for Long-Term Cybersecurity. The second is the Open Source Vulnerability Disclosure Framework, an effort launched in April by Bugcrowd and the law firm CipherLaw.

Read more at Ars Technica