In the aftermath of a controversial lawsuit regarding a bug report, Keeper Security has partnered with Bugcrowd...
on a new vulnerability disclosure program, SearchSecurity has learned.
Keeper Security last year filed a controversial lawsuit against Dan Goodin, security editor at Ars Technica. Goodin wrote an article in December about a flaw in the browser extension of Keeper's password manager, which was discovered and disclosed by Tavis Ormandy of Google's Project Zero. The critical vulnerability in the browser extension, which was bundled with Windows 10, allowed "any website to steal any password," according to Ormandy's bug report. Ormandy said he had found an almost-identical flaw approximately a year and a half earlier and reported it to Keeper.
Keeper sued Goodin, Ars Technica and its publisher, Advance Publications Inc., for making "false and misleading statements about the Keeper software application suggesting that it had a 16-month old bug that allowed sites to steal user passwords," according to the lawsuit filing. The Ars Technica story was revised to emphasize that the flaw was only present in the Keeper browser extension, but Keeper persisted with its defamation suit against the news site and Goodin. Last month, after considerable outcry from security experts and media members, Keeper dropped the defamation suit.
Now, Keeper is attempting to repair its image in the infosec community and fix the perception that it's waging a war against security researchers and reporters. A source close to the situation said Keeper Security teamed with Bugcrowd on a formal vulnerability disclosure program in an effort to improve relationships with the security research community following the lawsuit. The program, which has not been formally announced yet, was confirmed by Keeper Security in a tweet Thursday evening.
Reached by SearchSecurity, Craig Lurey, co-founder and CTO of Chicago-based Keeper, said the Bugcrowd vulnerability disclosure program will be made public Monday. The program, which was privately launched several weeks ago, awards researchers with Bugcrowd's kudos points for submissions. The program doesn't currently offer monetary rewards for bugs, but Lurey said the company may add bug bounties in the future.
Lurey said the Bugcrowd alliance and vulnerability disclosure program were not responses to the criticism Keeper faced after the lawsuit against Goodin and Ars Technica. "We've been going back and forth with Bugcrowd for a while, and we finally made the decision this year to do it," he said, adding that Keeper could no longer manage bug reports and communications with researchers directly.
It's unclear how much Keeper's Bugcrowd program will alleviate concerns in the infosec community. Matthew Green, cryptography expert and professor at Johns Hopkins University's Information Security Institute, said the company's actions last year have turned researchers away from the vendor.
"I know of at least two vulnerabilities in Keeper Security," Green wrote via Twitter. "Researchers are so intimidated by that company's legal threats that they won't publish or even disclose to them."
Lurey pushed back against Green's comments and encouraged security researchers to engage with Keeper through the new vulnerability disclosure program. "We want to squash that [perception], because it's not true," he said. "We want these reports, and to say otherwise is not correct."
Lurey also said the volume of vulnerability reports has actually increased over the last six months since the company's lawsuit. He added that he hopes the new vulnerability disclosure program will change the perception about the company. "We think it's a good start," he said.