Information about W3C Guidelines for Vulnerability Disclosure Programs
January 2017
This document provides information about the W3C Guidelines for Vulnerability Disclosure Programs to protect security and privacy researchers that W3C announced on January 27, 2017.
It is public and may be updated at any time.
- About W3C
- Background
- W3C Guidelines for vulnerability disclosure programs
- FAQ
- What happens next?
- What are example Guidelines to protect security and privacy researchers?
- How will the Guidelines impact the EME work specifically?
- What is the possible "future work in this space" for the Guidelines in the W3C Process?
- Can W3C enforce the Guidelines?
- Will these Guidelines be mandatory?
- May I become involved?
- Related links
- Media Contact
About W3C
What is W3C
The World Wide Web Consortium (W3C) is an international standards organization that develops the technical standards and guidelines for the Web. W3C was founded in 1994 by Sir Tim Berners-Lee, inventor of the Web, and Director of the W3C. Dr. Jeff Jaffe is the CEO of the W3C. Together they guide the W3C in its mission “to lead the Web to its full potential.”
For more than 20 years, W3C has developed new standards so that the Web works on different devices, in different languages, for people of all abilities, and will meet the needs of diverse industries.
How W3C works
As a technical standards consortium, W3C is a membership organization with representatives from business and industry, academia, governments and non-profit organizations. Its 412 Members, together with W3C staff, lead the technical work and determine the direction for new work on the Web. W3C staff are affiliated with one of four host organizations as part of a joint consortium among MIT, ERCIM, Keio University and Beihang University.
Tim Berners-Lee, inventor of the WWW, Founder of the W3C and its Director, is the lead technical architect at W3C. His responsibilities include assessing consensus within W3C for architectural choices, publication of technical reports, chartering new Groups, appointing group Chairs, "tie-breaker" for appeal of a Working Group decision and deciding on the outcome of formal objections.
Background
The W3C today announced that it would work to establish a set of Guidelines intended to protect security and privacy researchers in the interest of promoting vulnerability disclosure programs. This has an important connection to our announcement about the HTML Media Extensions charter extension and the advancement of the Encrypted Media Extensions (EME) specification.
The W3C EME work has received a great deal of public attention because the specification outlines a way for Web browsers to interact with encrypted media - allowing, for example, streaming movie services on the Web. However, EME technology is NOT used for encrypting media nor does it enforce content protection - rather it outlines means of interaction between encrypted media and web browsers.
Some members of the W3C and the public are concerned whether any technology which interacts with encrypted media can be impacted by laws around content protection in different countries such as the US DMCA or the EU Copyright Directive. Much of the comments by W3C Members and the public concerned about EME have been around the importance of protecting security and privacy researchers from prosecution under such laws.
During different stages of the progress of the EME specification through the W3C Process some Members from the W3C requested that the EME work be halted until protections for security and privacy researchers were included as part of the work. Other Members of the W3C requested that the work be allowed to continue. In 2016 the EFF, a W3C member, proposed the use of a DRM Circumvention Nonaggression Covenant be adopted as part of the requirement for the EME work. The proposal went through extensive discussion by W3C Members but unfortunately, Member consensus was not reached. Since there was no consensus and the HTML Media Extensions Working Group was within the terms of its approved charter and were making the technical progress required, the W3C Director allowed the group charter to be extended and the work to continue.
W3C Guidelines for vulnerability disclosure programs
While the Director recognized the technical progress and stability of the EME work, the lack of consensus on how to protect security and privacy researchers remained an issue. The Director therefore asked the W3C Team to find a resolution that could be agreed to by both supporters of the HTML Media Extensions Working Group charter extension and objectors. Unfortunately, the Team was unable to find such a resolution between the two groups. Therefore the Director concluded that the best practical method to improve protections at this stage would be to allow the EME work to continue by overruling the objections to the charter extension but to establish momentum for protection of security and privacy researchers by establishing best practices for responsible vulnerability disclosure.
FAQ
What happens next?
On 2 March 2017 the W3C Team will publish, as a W3C Team Submission, a set of Guidelines for vulnerability disclosure programs that protect security and privacy researchers. This will represent our initial sense of best practice and will serve as input for further work in this space.
Following the 2 March date, the W3C Director will send a Call for Review for the Encrypted Media Extensions Proposed Recommendation, soliciting feedback and expression of interest for the specification and the initial draft of W3C guidelines for security and privacy researchers disclosure programs.
Update 23 February 2017: Read the draft W3C Security Disclosures Best Practices.
Update 2 March 2017: W3C Security Disclosures Best Practices published as a W3C Team Submission.
What are example Guidelines to protect security and privacy researchers?
The Team is using as a starting point Responsible Vulnerability Disclosure program, established by Netflix.
Points the W3C consider important include:
That companies would agree to not bring a lawsuit against or ask law enforcement to investigate privacy and security researchers provided they follow agreed guidelines for disclosures such as:
- Provide a reasonable time period to address the issue before making the disclosure public.
- Provide an appropriate level of detail on the vulnerability to companies to identify and reproduce the issue. Detail should include target URLs, request/response pairs, screenshots, and/or other information.
- Make a reasonable effort to avoid service disruption (e.g. DoS), privacy issues (i.e. accessing customer’s data), and data destruction when performing vulnerability research.
How will the Guidelines impact the EME work specifically?
They would be voluntary to start, at the "best practices" stage. Guidelines would not be mandatory retroactively - for work already chartered before the Guidelines. Therefore, the current version of the EME work has been allowed to go forward under its charter. The Guidelines, at the note stage, would be voluntary for groups who have already started work. The Director will be looking at the upcoming Advisory Committee review and the feedback on the Guidelines before deciding to move the EME specification to W3C Recommendation.
What is the possible "future work in this space" for the Guidelines in the W3C Process?
The analogy of the W3C Patent Policy was made last year by those advocating for a covenant.
The first instance of the W3C Patent Policy came out as a note and was discussed in a W3C Patent Policy group. Then the work went for Advisory Committee review and was further developed according to the W3C Recommendation Process, after which it became part of the W3C Process "by reference".
When the Patent Policy existed, the W3C chose to make it mandatory to agree to it for new groups chartering.
Similarly, the set of Guidelines for vulnerability disclosure programs that protect security and privacy researchers may be refined and approved by the W3C Membership at large as a condition to join a W3C Working Group. Working on a W3C specification would then mean agreeing to comply with the Guidelines.
Can W3C enforce the Guidelines?
No, W3C cannot enforce the Guidelines. It can and certainly will promote the organizations who have changed their disclosure program best practices.
Will these Guidelines be mandatory?
Compliance with the set of Guidelines would be voluntary. There is already some industry acceptance; several member companies already have policies for protection of security and privacy researchers. We hope we can expand on and improve existing positive momentum for such an approach. Additional work to get the approval from the W3C Membership would be needed to make the Guidelines required to join Working Groups at W3C.
May I become involved?
Yes, please. Prior to the publication of the Guidelines as a W3C Team submission, input is welcome via public-security-disclosure@w3.org (mail archive).
Related links
As background, see the EME Factsheet from 2016.
Media Contact
Send media enquiries to w3t-pr@w3.org.