Tag: faith | SpinSafe

New gold standard to protect good faith hackers

November 20, 2022/in Computer Security

Bug bounty programme operator and ethical hacking platform HackerOne has launched a Gold Standard Safe Harbour (GSSH) statement for its customers to help them demonstrate that they can and will protect ethical hackers from liability when hacking in good faith.

Any vulnerability disclosure policy or operational bug bounty programme should already include a safe harbour statement to outline the legal protections ethical hackers can expect, but HackerOne believes that by creating a standardised boilerplate, customers can swiftly adopt a short, broad and easily understood standard, and hackers no longer have to parse the different terms and conditions of multiple different statements.

“With attack surfaces growing, healthy hacker engagement has never been more essential for reducing risk,” said Chris Evans, CISO and chief hacking officer at HackerOne.

“We at HackerOne want to establish a uniform standard of excellence our customers can adopt that helps hackers feel safe and valued on customer programmes. When hackers are happy and engaged, organisations achieve better attack resistance.”

The GSSH is being road-tested by three HackerOne customers, travel agency Kayak, GitLab, and Yahoo, to “demonstrate their commitment to protecting good faith security research” and boosting hacker engagement with their respective bug bounty schemes.

Kayak chief scientist Matthias Keller said: “The Gold Standard Safe Harbor statement helps us more clearly differentiate ourselves as a leading bug bounty programme.

This aligns with the other best practices we follow, like paying on triage and paying for value, to guarantee we get the best hackers engaging with us to protect the organisation.”

Dominic Couture, staff security engineer for application security at GitLab, added: “GitLab is pleased to adopt the Gold Standard Safe Harbour statement. We hope this will reduce the informational burden to hackers and make their bug bounty experience more seamless, supporting our mission that everyone can contribute.”

HackerOne’s next, as yet unreleased, Hacker Report found that over 50% of ethical hackers have discovered a vulnerability that they have not reported, for reasons…

Source…

Justice Dept. says ‘good faith researchers’ no longer will face hacking charges

May 25, 2022/in Internet Security

The U.S. Justice Department on Thursday said it would not use the country’s long-standing anti-hacking law to prosecute researchers who are trying to identify security flaws, a move that provides both protection and further validation for a craft still villainized by many officials, companies and the general public.

In a news release and five-page policy statement issued to federal prosecutors, top Justice officials said local U.S. attorneys should not bring charges when “good faith” researchers exceed “authorized access,” a vague phrase from the 1986 Computer Fraud and Abuse Act (CFAA) that has been interpreted to cover such routine practices as automated downloads of Web content.

Subscribe to The Post Most newsletter for the most important and interesting stories from The Washington Post.

The guidance defines good faith to mean research aimed primarily at improving the safety of sites, programs or devices, as opposed to exploration aimed at demanding money in exchange for withholding disclosure or exploitation of a security flaw.

Companies can still sue those who claim to be acting in good faith, and officials could continue to charge hackers under state laws that often echo the CFAA. But most state prosecutors tend to follow federal guidance when their laws are similar.

Well-intentioned hackers in the past were routinely silenced by legal threats. Even in recent years, civil suits and criminal referrals have been used to cancel public talks on dangerous vulnerabilities or cast doubt on research findings.

In 2019, a mobile voting company, Voatz, referred to the FBI a Michigan college student who was researching its app for a course. Twenty years ago, a former employee of email provider Tornado Development served more than a year in prison on federal CFAA charges after the company refused to fix security flaws and he emailed their customers about it.

In a case that drew national attention in October, the governor of Missouri threatened hacking charges against a local newspaper that examined the publicly available source code of a government website and then warned the state that it was exposing the Social Security numbers of 100,000 educators.

The Justice Department did…

Source…

US won’t prosecute ‘good faith’ security researchers • The Register

May 19, 2022/in Internet Security

The US Justice Department has directed prosecutors not to charge “good-faith security researchers” with violating the Computer Fraud and Abuse Act (CFAA) if their reasons for hacking are ethical — things like bug hunting, responsible vulnerability disclosure, or above-board penetration testing.

Good-faith, according to the policy [PDF], means using a computer “solely for purposes of good-faith testing, investigation, and/or correction of a security flaw or vulnerability.”

Additionally, this activity must be “carried out in a manner designed to avoid any harm to individuals or the public, and where the information derived from the activity is used primarily to promote the security or safety of the class of devices, machines, or online services to which the accessed computer belongs, or those who use such devices, machines, or online services.”

The update clarifies that conducting security research for the purposes of finding flaws in devices or software, and then extorting the owners, “is not in good faith.”

Hopefully, the policy changes will make security researchers’ lives less stressful

“Computer security research is a key driver of improved cybersecurity,” stated Deputy Attorney General Lisa Monaco. “The Department has never been interested in prosecuting good-faith computer security research as a crime, and today’s announcement promotes cybersecurity by providing clarity for good-faith security researchers who root out vulnerabilities for the common good.”

The new policy clarifies CFAA language that prohibits accessing a computer “without authorization,” but has long been criticized by security researchers and some lawmakers for not defining what the term means. Anyone charged with violating the law can face up to a long time behind bars.

Critics of the CFAA often point to the death of Aaron Swartz, who died by suicide in 2013 after federal prosecutors charged him under the computer-fraud law for…

Source…

Rapid7 says Computer Misuse Act should include ‘good faith’ infosec research exemption • The Register

September 3, 2021/in Computer Security

Infosec firm Rapid7 has joined the chorus of voices urging reform to the UK’s Computer Misuse Act, publishing its detailed proposals intended to change the cobwebby old law for the better.

The cloud-based SIEM company specifically highlighted section 3A of the CMA, saying this potentially “imperils dual-use open-source security testing tools and the sharing of proof-of-concept code”.

It also echoed other industry concerns about criminalising general security research through section 1 of the act, which prohibits accessing a computer without the owner’s permission.

“It’s worth noting that neither the National Crime Agency (NCA) or the CPS seem to be recklessly pursuing frivolous investigations or prosecutions of good-faith security research. Nonetheless, the current legal language does expose researchers to legal risk and uncertainty, and it would be good to see some clarity on the topic,” said Rapid7 in a blog post published over the sleepy summer period.

Highlighting “dual use technologies” the company suggested “clearer protections” under section 3A(2), exempting anything “capable of being used for legitimate purposes” and which were both widely available and “intended by the creator or supplier” for legitimate uses.

Where this would leave tools such as Cobalt Strike is unclear. The threat simulation tool was originally developed for pentesters but has become ubiquitous among malicious folk on the internet – to the point where six suspects arrested in connection with the notorious Clop ransomware gang were found to be using it.

Rapid7 also proposed a legal exemption for “good faith” security research, resting on the notion that good faith research can be shown to be carried out “in a manner reasonably designed to minimise and avoid unnecessary damage or loss to property or persons”.

The Home Office announced plans to reform the…

Source…

Tag Archive for: faith