HackerOne encourages customers to adopt standard policy to protect hackers from legal problems


‘Short, broad, easily-understood safe harbor statement’ offered

Bug bounty platform HackerOne has overhauled its policy guidelines to enhance legal protections for ethical hackers acting in good faith

HackerOne has revamped its policy guidelines to offer better protection from legal problems for ethical hackers acting in good faith.

The Gold Standard Safe Harbor (GSSH) that customers who run bug bounty programs through HackerOne are asked to agree offers a “short, broad, easily-understood safe harbor statement that’s simple for customers to adopt”.

Both vulnerability disclosure programs and bug bounty programs routinely include safe harbor agreements that explain the legal protections that hackers can expect. These agreements can vary, but by asking its customers to agree to a standard policy, HackerOne is aiming to reduce the bureaucratic overhead for ethical hackers.

‘Reduces the burden’

“While many programs already include safe harbor in their policies, the GSSH is a short, broad, easily-understood safe harbor statement that’s simple for customers to adopt,” according to the crowdsourced security platform. “This standardization also reduces the burden on hackers for parsing numerous different program statements.”

Gold Standard Safe Harbor launched on Wednesday, November 16. Organizations committing to the GSSH will replace their existing safe harbor statement with the GSSH on their program page, which will be marked with a digital badge. Hackers will be able to filter searches for programs based on participation in the GSSH scheme.

KAYAK, GitLab Inc, and Yahoo are among the first customers to opt for the GSSH’s standardized language. The GSSH is available for adoption by HackerOne customers worldwide even though its language most closely aligns with recent US government cybersecurity policy updates, The Daily Swig understands.

Catch up with the latest bug bounty news and analysis

Preliminary findings from HackerOne’s upcoming Hacker Report appear to vindicate efforts to strengthen legal safeguards for hackers.

The report will reveal that more than half of hackers have not reported a vulnerability they have discovered, with 12% ascribing their decision not to disclose to threatening legal language being used by the organization whose code contained the…

Source…