Full Report
Kendra Albert gave an excellent talk at USENIX Security this year, pointing out that the legal agreements surrounding vulnerability disclosure muzzle researchers while allowing companies to not fix the vulnerabilities—exactly the opposite of what the responsible disclosure movement of the early 2000s was supposed to prevent. This is the talk. Thirty years ago, a debate raged over whether vulnerability disclosure was good for computer security. On one side, full disclosure advocates argued that software bugs weren’t getting fixed and wouldn’t get fixed if companies that made insecure software wasn’t called out publicly. On the other side, companies argued that full disclosure led to exploitation of unpatched vulnerabilities, especially if they were hard to fix. After blog posts, public debates, and countless mailing list flame wars, there emerged a compromise solution: coordinated vulnerability disclosure, where vulnerabilities were disclosed after a period of confidentiality where vendors can attempt to fix things. Although full disclosure fell out of fashion, disclosure won and security through obscurity lost. We’ve lived happily ever after since...
Analysis Summary
# Regulation/Compliance: Vulnerability Disclosure Agreement Constraints
## Overview
This summary focuses on the **legal and contractual implications** surrounding modern vulnerability disclosure practices, specifically how agreements associated with managed bug bounty programs can restrict security researchers' ability to share findings, potentially undermining the original intent of Coordinated Vulnerability Disclosure (CVD). This is a matter of contract law as it relates to information disclosure practices rather than mandatory government regulation.
## Key Details
- Issuing Authority: Not applicable (This is based on private contractual agreements, often enforced via contract law).
- Effective Date: Varies based on the agreement's signing date.
- Jurisdiction: Dependent on the governing law specified in the contract (usually the jurisdiction where the company or platform operates).
- Status: In Effect (These contractual practices are actively in use).
## Requirements
### Mandatory Requirements (For Organizations Implementing Bug Bounties)
1. **Adherence to Contractual Obligations:** Organizations must abide by the terms laid out in their vulnerability management agreements, including those set by third-party bug bounty platforms.
2. **Clarity in Disclosure Terms:** Organizations must ensure that terms regarding confidentiality and disclosure are legally enforceable and clearly communicated to researchers before submission.
### Recommended Practices (To Maintain Disclosure Spirit)
1. **Ban Non-Disclosure Requirements:** Actively avoid contractual language that requires researchers to maintain perpetual or indefinite confidentiality regarding vulnerability findings, as this contradicts the spirit of CVD.
2. **Align Program Terms with CVD:** Structure bug bounty agreements to support the compromise established by Coordinated Vulnerability Disclosure (i.e., allowing for eventual public disclosure after a reasonable remediation period).
3. **Transparency:** Be clear about the legal consequences of breaching confidentiality agreements established through the program terms.
## Affected Organizations
- Industries: Any technology or software development sector utilizing paid bug bounty programs or vulnerability management platforms.
- Organization Size: All organizations fielding vendor bug bounty programs, regardless of size.
- Geographic Scope: Dependent on the jurisdiction clause in the specific contractual agreement.
## Compliance Timeline
- **Historic Context (Early 2000s):** Shifted from Full Disclosure to Coordinated Vulnerability Disclosure (CVD).
- **Current/Ongoing:** Researchers must adhere to the confidentiality periods agreed upon when entering managed bug bounty programs.
- **Future Action:** Platforms and companies are being called upon to adapt practices to ban overly restrictive non-disclosure clauses.
## Implementation Guidance
### Assessment Phase
- Review all current vulnerability intake contracts, particularly those managed through third-party bug bounty platforms, to identify any clauses requiring total or perpetual non-disclosure by the researcher.
### Implementation Phase
- Engage legal counsel to revise standard Non-Disclosure Agreements (NDAs) or program terms used for vulnerability submissions to ensure they permit necessary public disclosure after remediation, aligning with CVD principles.
### Validation Phase
- Ensure that new researcher agreements explicitly permit disclosure after a defined, reasonable confidentiality window has passed, balancing vendor remediation time with the public's right to know (the "original bargain" of CVD).
## Technical Requirements
None directly derived from statutory regulation; technical requirements are governed by the specific terms of the *contractual agreement* between the researcher and the company/platform regarding the handling and reporting of the vulnerability details.
## Penalties & Enforcement
- Fines: Not detailed in this context, but potential penalties arise from *breach of contract* lawsuits initiated by the company against the researcher for violating confidentiality agreements.
- Other Consequences: Researchers may be barred from future participation in bug bounty programs or face litigation, potentially chilling future disclosure activity.
- Enforcement: Primarily through civil litigation (contract enforcement) by the vendor against the researcher or the platform managing the agreement.
## Related Standards
- **Coordinated Vulnerability Disclosure (CVD):** The standard practice that these current contractual restrictions risk undermining.
- **Contract Law:** The primary legal framework defining the enforceability of confidentiality restrictions imposed on researchers.
## Resources
- Official Documentation: Kendra Albert's USENIX Security talk (specific links are external to the context provided but should be sought for primary material).
- Guidance Documents: Legal analysis concerning the enforceability of restrictive confidentiality clauses in hacking/research contexts.
## Practical Recommendations
- **Vendors:** Review and modify bug bounty program agreements to ensure confidentiality periods are reasonable and do not permanently muzzle researchers, thereby preserving the intent of CVD.
- **Researchers:** Understand the specific contract law governing any agreement presented by a bug bounty platform, paying close attention to the duration and scope of any stipulated non-disclosure requirements.