Enumerating third-parties who have granted permission to be tested?

[hongyihu]

Given the legal inability to "authorize" on behalf of third-parties, does it make sense to add a section to the third-party templates that explicitly calls out third-party vendors used by the BBP owner that have explicitly consented to be tested within the scope of the BBP?

Eventually, as more vendors hopefully adopt BBP (as part of a holistic software security program), third-party authorization will become less of an issue. Until then, companies have to get explicit permission for BBP testing from the specific vendors they use.

Practically speaking, bug bounty hunters often aren't in a position to know where the technical boundary is between the BBP owner and third-parties or even that third-party vendors might be involved. This isn't great for avoiding chilling security research,

This is more of an aspiration rather than an "issue."