Closed cablej closed 4 years ago
@cablej Agreed. Feel free to commit a PR to the schema and the main list (cc: @codingo)
My 10 cents.
I'd update to this definition for 'Coordinated Disclosure'.
Coordinated Disclosure: A researcher can share details of the vulnerability after a fix has been applied and the program owner has provided permission to disclose, OR after (at maximum) 90 days from submission, whichever is sooner
I don't think it should be called 'coordinated disclosure' if the organization has a policy that extends beyond 90 days.
I'm still really not a fan that all 3 of these choices leave a researcher in a state where their protections from CFAA are predicated upon conforming to the disclosure policy of the company.
Is there some 4th option where a company can say that they won't pursue legal action even in the case of what they deem to be 'irresponsible disclosure'?
Google does this, & they will even pay if you disclose before the vuln is fixed. What category would their policy fall into in this case?
@JLLeitschuh This is confusing the disclosure dynamics of vulnerability disclosure (i.e. the superset, and disclose.io's focus) with bug bounty (i.e. a subset).
This is confusing the disclosure dynamics of vulnerability disclosure (i.e. the superset, and disclose.io's focus) with bug bounty (i.e. a subset).
Sure, the way I phrased it above, I agree.
Let me put it another way, I'd like to make my companies VDP not require that researchers sync their disclosure with ours. I don't want them to feel like we won't protect them from CFAA if they don't disclose in a way that we want. (Personally, I'd prefer if they did, but I don't want to make it conditional). I don't want to couple safe-harbour with disclosure. What's the best way to do this and which category would such a policy fall into?
A company's willingness to disclose reported vulnerabilities can be of interest to researchers when evaluating programs, in addition to safe harbor. As described in the disclose.io terms, disclosure types can include coordinated disclosure, discretionary disclosure, and non-disclosure:
To that end, I suggest adding a
public_disclosure
field to each program. As with thesafe_harbor
field, thepublic_disclosure
field can have one of three values:"coordinated"
for coordinated disclosure,"discretionary"
for discretionary disclosure, and""
or"none"
for non-disclosure.Such a change will both aid researchers and enable tracking disclosure trends across VDPs over time.