As Hackers Continue to Fear Legal Repercussions, the Initiative Encourages Safe Harbor Best Practices
SAN FRANCISCO, November 16, 2022: HackerOne, the leader in Attack Resistance Management, launched its Gold Standard Safe Harbor (GSSH) statement for customers, which supports the protection of ethical hackers from liability when hacking in good faith. By default, any vulnerability disclosure policy, including bug bounty programs, should include a safe harbor statement that outlines the legal protections hackers can expect. While many programs already include safe harbor in their policies, the GSSH is a short, broad, easily-understood safe harbor statement that’s simple for customers to adopt. This standardization also reduces the burden on hackers for parsing numerous different program statements.
HackerOne customers can now further demonstrate their commitment to protecting good faith security research (as defined) with GSSH and help boost hacker engagement to increase their respective attack resistance. KAYAK, GitLab Inc., and Yahoo are among the first customers to opt for the GSSH’s standardized language.
“With attack surfaces growing, healthy hacker engagement has never been more essential for reducing risk,” said Chris Evans, CISO and Chief Hacking Officer at HackerOne. “We at HackerOne want to establish a uniform standard of excellence our customers can adopt that helps hackers feel safe and valued on customer programs. When hackers are happy and engaged, organizations achieve better attack resistance.”
Initial findings from HackerOne’s Hacker-Powered Security Report, to be released later this year, found that more than half of hackers have not reported a vulnerability they have discovered. 20 percent said this was because an organization had previously been difficult to work with, and 12 percent said it was due to threatening legal language from organizations. These reasons are despite two-thirds of hackers anticipating that the Department of Justice’s recent changes to its policy on charging cases under the Computer Fraud and Abuse Act (CFAA) will increase hacking protections.
“The Gold Standard Safe Harbor statement helps us more clearly differentiate ourselves as a leading bug bounty program,” said Matthias Keller, Chief Scientist at KAYAK. “This aligns with the other best practices we follow, like paying on triage and paying for value, to guarantee we get the best hackers engaging with us to protect the organization.”
Adopting the GSSH represents an organization’s endorsement of these latest legal and regulatory developments surrounding security research. Customers that adopt GSSH also clearly authorize good faith security research, which may help clarify the distinction between access during good faith security research versus a reportable data breach.
“GitLab is pleased to adopt the Gold Standard Safe Harbor statement,” said Dominic Couture, Staff Security Engineer, Application Security at GitLab. “We hope this will reduce the informational burden to hackers and make their bug bounty experience more seamless, supporting our mission that everyone can contribute.”
Organizations committing to the GSSH will replace their existing safe harbor statement with the GSSH on their program page and receive a corresponding digital badge. Hackers can also search for programs on the HackerOne platform based on GSSH participation. GSSH is the start of a broader initiative to codify and promote best practices for customers to engage hackers and reduce cybersecurity risk. Learn more about HackerOne’s broader initiative and the GSSH here .
HackerOne closes the security gap between what organizations own and what they can protect. HackerOne's Attack Resistance Management blends the security expertise of ethical hackers with asset discovery, continuous assessment, and process enhancement to find and close gaps in the ever-evolving digital attack surface. This approach enables organizations to transform their business while staying ahead of threats. Customers include The U.S. Department of Defense, Dropbox, General Motors, GitHub, Goldman Sachs, Google, Hyatt, Lufthansa, Microsoft, MINDEF Singapore, Nintendo, PayPal, Slack, Twitter, and Yahoo. In 2021, HackerOne was named as a ‘brand that matters’ by Fast Company.