HackerOne announced
the formation of the Hacking Policy Council in conjunction with the Center for Cybersecurity Policy and Law and other
leading organizations experienced in security researcher engagement. As a
founding member, HackerOne will advocate for policies encouraging vulnerability
detection, management, and disclosure best practices and improved protections
for good faith security research.
"As the threat landscape continues to evolve, policymakers must
consider how the hacking community can help organizations meet this challenge.
The Council aims to advocate for policy outcomes that will best enable
vulnerability discovery and disclosure and protect the hackers working to
improve the security of the products and systems we all use," said Ilona Cohen,
Chief Policy and Legal Officer at HackerOne. "I look forward to bringing
lessons from my background in the federal government and HackerOne's work with
the hacking community to inform the Hacking Policy Council's agenda."
As cyberattacks increasingly impact consumers, more
businesses and governments have begun to recognize the
benefits of security research to reduce the risk of a breach. However,
misinformed and outdated notions about vulnerability disclosure persist, and
some organizations still struggle to effectively adopt best practices like
vulnerability disclosure programs (VDPs). Overly restrictive legacy laws create
uncertainty that discourages good faith security research, and emerging legal
requirements mandating rushed or premature vulnerability reporting can
negatively impact collective cybersecurity efforts. A recent HackerOne survey also
revealed 64% of organizations still admit to a culture of security through
obscurity, which hinders industry collaboration and transparency.
HackerOne will address these challenges through the Hacking Policy
Council by working with the security, business, and policymaking communities
to:
-
Promote collaboration across these communities for increased
transparency and understanding
-
Encourage a further cultural shift toward protecting and embracing
good-faith security research and ethical hackers
-
Build a more favorable legal environment for and educate these
communities on the benefits of best practices such as VDPs, pentesting, and bug
bounty programs
-
Drive policies that encourage hacker engagement and the adoption
of vulnerability policies that increase all organizations' resistance to attack
"HackerOne will always push to effect industry change that
protects the research of the hacker community and enhances the security of our
customers. These advocacy efforts contribute to our mission of building a safer
internet," said HackerOne CEO Marten Mickos. "Joining the Hacking Policy
Council will strengthen our message and expedite how quickly we can reach
policymakers to shape their agendas."
The Hacking Policy Council builds upon HackerOne's other advocacy
efforts for greater Corporate Security Responsibility (CSecR). In March 2022,
HackerOne announced the CSecR pledge for
leading customers to advocate for improving industry collaboration and
transparency. In November 2021, HackerOne expanded the Internet Bug Bounty (IBB)
program, which pools funds for under-resourced open-source projects. Most
recently, HackerOne announced its Gold Standard Safe
Harbor Statement (GSSH), which acts as an opt-in default safe harbor statement
for programs and clearly defines protections for hackers engaging with
programs. The founding members of the Hacking Policy Council include HackerOne,
Bugcrowd, Google, Intel, Intigriti, and Luta Security. You can read more about
the Hacking Policy Council in the Center for Cybersecurity Policy and Law's
press release here and at HackingPolicyCouncil.org/.