Risk & Repeat: Can Disclose.io help protect vulnerability researchers?

Listen to this podcast In this week's Risk & Repeat podcast, SearchSecurity editors discuss the Disclose.io project and what it coul

Smackdown: Office 365 vs. G Suite management
More Windows XP fixes in June Patch Tuesday release
Android P security improves authentication trust and data privacy

Listen to this podcast

In this week’s Risk & Repeat podcast, SearchSecurity editors discuss the Disclose.io project and what it could mean for the future of security research and vulnerability disclosure.

Bug hunting and vulnerability disclosure can sometimes be risky tasks in the eyes of the law, but some experts are hoping to take the fear of legal action out of security research.

A new framework called Disclose.io aims to protect researchers participating in bug bounties from legal action under such laws as the Computer Fraud and Abuse Act (CFAA) and the Digital Millennium Copyright Act (DMCA).

The open source, vendor-agnostic project was launched by Amit Elazari, a University of California, Berkeley doctoral candidate and bug bounty legal expert, in collaboration with bug bounty platform provider Bugcrowd Inc. According to the project’s website, the vulnerability research framework can be employed by enterprises and government organizations to give researchers acting in good faith exemption from prosecution under the CFAA and DMCA.

Currently, 21 organizations have pledged support for the Disclose.io project. The framework arrives at a time when experts such as Bugcrowd CTO Casey Ellis have expressed concern about the future of good faith security research.

Will more organizations support the Disclose.io project? Can the framework encourage more researchers to participate in bug bounties? Are companies making the vulnerability reporting process too cumbersome and intimidating for researchers? SearchSecurity editors Rob Wright and Peter Loshin discuss those questions and more in this episode of the Risk & Repeat podcast.

Go to Source