Ethical or good-faith hacking involves attempting to hack a computer or information system for the purpose of identifying security flaws so that they can be rectified and improved.
Many organisations encourage activities such as bug hunting and penetration testing, with ethical hacking increasingly being recognised as an important part of overall security strategies.
Organised bug bounty programmes and ethical hacking platforms typically provide ‘safe harbour’ statements to set out the protections afforded to ethical hackers.
Hackers may have to negotiate multiple sets of terms and conditions, which is why ethical hacking platform HackerOne has launched a Gold Standard Safe Harbour (GSSH) statement for its customers.
Chris Evans, CISO and chief hacking officer at HackerOne, said that it had never been more important for organisations to foster healthy engagement with ethical hackers.
The company believes that a standardised boilerplate would allow these organisations to offer hackers a short yet broad and easily understandable standard to work with.
Evans said that hackers who are “happy and engaged” resulted in better overall security for the organisations they tested.
The GSSH is being tested by Yahoo!, GitLab and travel company Kayak, which are all HackerOne customers.
Dominic Couture, staff security engineer for application security at GitLab, said that the firm’s adoption of the standard would hopefully reduce the informational burden on ethical hackers and streamline the bug bounty process.
Ethical hacking can put participants on the wrong side of the law
The threat of prosecution has been a part of the ethical hacking landscape since the concept first arose.
Earlier this year, the US Department of Justice said that it would no longer prosecute good-faith security researchers, and there have been calls within the UK for reform of the Computer Misuse Act (CMA).
The 32-year-old legislation defines offences linked to establishing unauthorised access to a computer and effectively criminalises many of the strategies and techniques commonly used by ethical hackers.
The CyberUp Campaign, which comprises businesses, NGOs, lawyers and other groups working across cyber security, has been campaigning on the issue.
It says that as it stands, the legislation prevents hackers and cyber security professionals from being able to effectively protect systems and organisations without the threat of prosecution.
HackerOne said that its gold standard could eventually help to clarify a legal distinction between ethical and malicious hacking.
Today’s news was brought to you by TD SYNNEX – the UK’s number one solutions distributor.
