New gold standard to protect good faith hackers

Bug bounty programme operator and ethical hacking platform HackerOne has launched a Gold Standard Safe Harbour (GSSH) statement for its customers to help them demonstrate that they can and will protect ethical hackers from liability when hacking in good faith.

Any vulnerability disclosure policy or operational bug bounty programme should already include a safe harbour statement to outline the legal protections ethical hackers can expect, but HackerOne believes that by creating a standardised boilerplate, customers can swiftly adopt a short, broad and easily understood standard, and hackers no longer have to parse the different terms and conditions of multiple different statements.

“With attack surfaces growing, healthy hacker engagement has never been more essential for reducing risk,” said Chris Evans, CISO and chief hacking officer at HackerOne.

“We at HackerOne want to establish a uniform standard of excellence our customers can adopt that helps hackers feel safe and valued on customer programmes. When hackers are happy and engaged, organisations achieve better attack resistance.”

The GSSH is being road-tested by three HackerOne customers, travel agency Kayak, GitLab, and Yahoo, to “demonstrate their commitment to protecting good faith security research” and boosting hacker engagement with their respective bug bounty schemes.

Kayak chief scientist Matthias Keller said: “The Gold Standard Safe Harbor statement helps us more clearly differentiate ourselves as a leading bug bounty programme.

This aligns with the other best practices we follow, like paying on triage and paying for value, to guarantee we get the best hackers engaging with us to protect the organisation.”

Dominic Couture, staff security engineer for application security at GitLab, added: “GitLab is pleased to adopt the Gold Standard Safe Harbour statement. We hope this will reduce the informational burden to hackers and make their bug bounty experience more seamless, supporting our mission that everyone can contribute.”

HackerOne’s next, as yet unreleased, Hacker Report found that over 50% of ethical hackers have discovered a vulnerability that they have not reported, for reasons…