Leading Cybersecurity NGO and NYU TLP Clinic Collaborate to Improve Protections for Security Researchers

By Stephanie Shim (‘25) & Serena Chen (‘25)

Security researchers play a salient role in maintaining the security of the Internet, yet they are often in a vulnerable position against organizations that are armed with robust legal counsel and support teams. When security researchers approach organizations to discuss the discovery of vulnerabilities, they are often threatened with costly litigation or retaliatory actions that harm their reputation or future employment prospects.

Disclose.io is a platform that provides tools for security researchers to report vulnerabilities and for organizations to adopt Vulnerability Disclosure Policies (VDPs). Our project with disclose.io was two-fold. We worked to (1) update their existing VDP template for intended adoption by organizations and (2) create a new agreement for independent security researchers to use when reporting to organizations.

In concert with disclose.io’s larger mission to reduce friction in the use of VDPs and to normalize their adoption, our project aimed to bolster the organization-facing VDP template and provide customizable templates that security researchers can easily employ to protect themselves from legal threat and/or action under various applicable laws including the anti-hacking, anti-circumvention, and contract laws. Towards these goals, our team updated the organization-facing template policy to reflect significant legal developments including the Van Buren holding from the Supreme Court.

The new researcher-facing agreement affords more discretion to researchers by incorporating strong safe harbor provisions and more terms that researchers can customize to their individual situation and needs. By encouraging the adoption of vulnerability disclosure policies that foreground the researchers’ interests, our work empowers security researchers to disclose vulnerabilities and conduct research that contributes to the security and hygiene of the Internet with less fear and risk of legal liabilities.

Both documents will undergo a comment period to solicit feedback from the wider security researcher community, and are on track for publication in the main disclose.io repository later this year.