HackerOne, the specialist in attack resistance management, launched its Gold Standard Safe Harbor (GSSH) statement for customers, which supports the protection of ethical hackers from liability when hacking in good faith.
By default, any vulnerability disclosure policy, including bug bounty programs, should include a safe harbour statement that outlines the legal protections hackers can expect.
While many programs already include safe harbour in their policies, the GSSH is a short, broad, easily-understood safe harbour statement that’s simple for customers to adopt, HackerOne states.
This standardisation also reduces the burden on hackers for parsing numerous different program statements. HackerOne customers can now further demonstrate their commitment to protecting good faith security research (as defined) with GSSH and help boost hacker engagement to increase their respective attack resistance.
KAYAK, GitLab, and Yahoo are among the first customers to opt for the GSSH’s standardised language.
Chris Evans, CISO and Chief Hacking Officer at HackerOne, says, “With attack surfaces growing, healthy hacker engagement has never been more essential for reducing risk.
"We at HackerOne want to establish a uniform standard of excellence our customers can adopt that helps hackers feel safe and valued on customer programs. When hackers are happy and engaged, organisations achieve better attack resistance.”
Initial findings from HackerOne’s Hacker Report, to be released later this year, found that more than half of hackers have not reported a vulnerability they have discovered. 20% said this was because an organisation had previously been difficult to work with, and 12% said it was due to their threatening legal language from organisations.
These reasons are despite two-thirds of hackers anticipating that the Department of Justice’s (DOJ) recent changes to its policy on charging cases under the Computer Fraud and Abuse Act (CFAA) will increase hacking protections.
Matthias Keller, Chief Scientist at KAYAK, says, “The Gold Standard Safe Harbor statement helps us more clearly differentiate ourselves as a leading bug bounty program. This aligns with the other best practices we follow, like paying on triage and paying for value, to guarantee we get the best hackers engaging with us to protect the organisation.”
Adopting the GSSH represents an organisation’s endorsement of these latest legal and regulatory developments surrounding security research. Customers that adopt GSSH also clearly authorise good faith security research, which may help clarify the distinction between access during good faith security research versus a reportable data breach.
Dominic Couture, Staff Security Engineer, Application Security at GitLab, says, “GitLab is pleased to adopt the Gold Standard Safe Harbor statement. We hope this will reduce the informational burden to hackers and make their bug bounty experience more seamless, supporting our mission that everyone can contribute.”
Organisations committing to the GSSH will replace their existing safe harbor statement with the GSSH on their program page and receive a corresponding digital badge.
Hackers can also search for programs on the HackerOne platform based on GSSH participation. GSSH is the start of a broader initiative to codify and promote best practices for customers to engage hackers and reduce cybersecurity risk.