search

disclose / diodb

Open-source vulnerability disclosure and bug bounty program database
https://disclose.io/programs/
Creative Commons Zero v1.0 Universal
979 stars 311 forks source link

Proposal to track disclosure type in addition to safe harbor type #101

Closed cablej closed 4 years ago

cablej commented 4 years ago

A company's willingness to disclose reported vulnerabilities can be of interest to researchers when evaluating programs, in addition to safe harbor. As described in the disclose.io terms, disclosure types can include coordinated disclosure, discretionary disclosure, and non-disclosure:

  • Coordinated Disclosure: A researcher can share details of the vulnerability after a fix has been applied and the program owner has provided permission to disclose, OR after 90 days from submission, whichever is sooner,
  • Discretionary Disclosure: The researcher or the program owner can request mutual permission to share details of the vulnerability after approval is explicitly received, or
  • Non-Disclosure: Researchers are required to keep vulnerability details and the existence of the program itself confidential.

To that end, I suggest adding a public_disclosure field to each program. As with the safe_harbor field, the public_disclosure field can have one of three values: "coordinated" for coordinated disclosure, "discretionary" for discretionary disclosure, and "" or "none" for non-disclosure.

Such a change will both aid researchers and enable tracking disclosure trends across VDPs over time.

yesnet0 commented 4 years ago

@cablej Agreed. Feel free to commit a PR to the schema and the main list (cc: @codingo)

JLLeitschuh commented 4 years ago

My 10 cents.

I'd update to this definition for 'Coordinated Disclosure'.

Coordinated Disclosure: A researcher can share details of the vulnerability after a fix has been applied and the program owner has provided permission to disclose, OR after (at maximum) 90 days from submission, whichever is sooner

I don't think it should be called 'coordinated disclosure' if the organization has a policy that extends beyond 90 days.

JLLeitschuh commented 4 years ago

I'm still really not a fan that all 3 of these choices leave a researcher in a state where their protections from CFAA are predicated upon conforming to the disclosure policy of the company.

Is there some 4th option where a company can say that they won't pursue legal action even in the case of what they deem to be 'irresponsible disclosure'?

Google does this, & they will even pay if you disclose before the vuln is fixed. What category would their policy fall into in this case?

yesnet0 commented 4 years ago

@JLLeitschuh This is confusing the disclosure dynamics of vulnerability disclosure (i.e. the superset, and disclose.io's focus) with bug bounty (i.e. a subset).

JLLeitschuh commented 4 years ago

This is confusing the disclosure dynamics of vulnerability disclosure (i.e. the superset, and disclose.io's focus) with bug bounty (i.e. a subset).

Sure, the way I phrased it above, I agree.

Let me put it another way, I'd like to make my companies VDP not require that researchers sync their disclosure with ours. I don't want them to feel like we won't protect them from CFAA if they don't disclose in a way that we want. (Personally, I'd prefer if they did, but I don't want to make it conditional). I don't want to couple safe-harbour with disclosure. What's the best way to do this and which category would such a policy fall into?