Every day, good-faith security researchers around the world face potential criminal prosecution for testing digital systems for flaws, reporting vulnerabilities and figuring out how to repair products. A new advocacy group, the Hacking Policy Council, launched on Thursday seeks to remedy that by advocating on behalf of researchers in support of laws that protect their work.
While there has been great progress in supporting vulnerability disclosure and security research, the global community of white-hat hackers lacks a coordinated body to lobby on their behalf to address both forthcoming rules and ones already on the books that put them at risk, said Ilona Cohen, chief legal and chief policy council at HackerOne and member of the council.
“There hasn’t really been an advocacy group focused primarily on hackers,” Cohen said. “There are advocacy groups for reptile owners but not hackers, so that seems like a miss — and we’re here to remedy that.”
One of the council’s first priorities is advocating for changes to the European Union’s Cyber Resilience Act, which would require companies to report vulnerabilities within 24 hours. Council members expressed concerns that the current version of the law doesn’t make a distinction between good faith researchers and criminals. Additionally, it doesn’t require that the vulnerability be patched before being shared.
“The concern is you end up with a rolling list of software and vulnerabilities that may not be mitigated shared with perhaps dozens of government agencies,” said Harley Geiger, a cybersecurity policy counsel at Venable, noting that doing so could be dangerous for intelligence reasons if they are leaked to adversaries.
Cohen says that some members of the council have already met with representatives from the European Union, and the council has drafted a letter with its positions. Members also plan to meet with U.S. lawmakers at the RSA Conference later this month.
The council’s founding members include Bugcrowd, Google, Intel, Intigriti and Luta Security. In addition to creating favorable legal conditions for security researchers, the council will work to help organizations strengthen their vulnerability disclosure programs.
Already, the effort appears to have gained the support of some within the U.S. government.
Eric Goldstein, the executive assistant director for cybersecurity at the Cybersecurity and Infrastructure Security Agency, said at the launch event on Thursday that the government needs to “shift the balance of the scales to make sure a good faith actor finds a vulnerability before a bad faith actor” and that today “the deck is stacked in the opposite direction.”
Goldstein, who called good-faith hackers “heroes,” pointed to the Justice Department’s directive last year that such security researchers should not be charged under federal hacking law as well as CISA’s coordinated vulnerability disclosure program as evidence of the government’s improving relationship with security researchers but noted that more needs to be done.
Separately, a new legal defense fund for security researchers launched on Wednesday. The non-profit Security Research Legal Defense Fund will provide financial support for security researchers facing legal threats. The fund will be overseen by a board of directors that includes Jim Dempsey at the University of California at Berkeley, Kurt Opsahl, the associate general counsel at the Filecoin Foundation, and Amie Stepanovich, the vice president of the Future of Privacy Forum.
Google will provide seed funding for the defense fund, which will be run independently of its funders. The board will take into consideration financial need as well as the nature of the individual’s actions in determining which cases to support.
The United States has made strides toward largely decriminalizing good-faith security research in recent years. Last year, the Justice Department announced a new policy directing that good-faith security researchers should not be charged under the Computer Fraud and Abuse Act, but that hasn’t stopped private companies from using legal threats to stymie security research.
Companies threatening to sue good-faith security researchers and journalists remains a common occurrence and something that experts say can have a chilling effect on much-needed vulnerability research. States have also threatened researchers in recent years and tend to have broader hacking laws.
“If they do get the threatening letter, if they do face potential criminal prosecution, someone needs to be there to help them,” Opsahl said.
Examples of cases that the board might take on include the Missouri journalist threatened last year by the state’s governor for publishing an article about a vulnerability in a state website’s source code and students seeking to present research on public vulnerabilities. Initially, the fund will focus on the United States, but its charter allows it to support researchers abroad as well.
The group is encouraging researchers who can’t collect bounties due to their jobs to donate them to the fund. Google will quadruple-match any funds donated through its bug bounty program. The fund hopes that additional companies and that individuals will provide funding over time.