Monday, December 28, 2009

Security Disclosure Policies That Remove Chilling Effects

As I have discussed before, PayPal has published a vulnerability disclosure policy that attempts to remove chilling effects for researchers wishing to responsibly disclose a security vulnerability. Until today I thought that PayPal and Microsoft were alone in having policies that explicitly gave security waivers to security researchers who practiced responsible disclosure.

I was informed of one, and discovered another example of a similar policy and I'm proud to say there are now several more policies like PayPal's:
If anyone knows of others, please let me know as I'd going to try to keep a running list.


Anonymous said...

I started reading this thread by now and have to roll back to the originally starting in 2007:

The first thing I found worthy to discuss is your sentence: "we don't want people to tinker around on our site."
What does that mean?
Where is the line between "user" and "attacker"?
An URL stored in 2007 and recalled 2010 shows content of a page which should not be disclosed to this user? Attack? No!

There is only one institution responsible for the security of the content: Paypal, no one else.

You cannot make any other person responsible for the security of your site.

You can friendly ask for help and offer incentives for this, but nothing else.

As another comment said:"Does intent make any difference?".

You can never make the triage.

And my last comment to the "policy" of paypal:
I would not be proud of that, it's not a big deal.

Best regards

Andy Steingruebl said...

I'm not sure I understand your post. Are you saying that if you reused a URL from 2007 that you bookmarked for example, and it now shows someone else's data, then this wouldn't be invalid testing? I think I'd agree. This would not be illegitimate.

No one have I ever attempted to make other people responsible for security.

Does this help?