HackerOne urges U.S. to advocate for research protections in UN cybercrime treaty

HackerOne has expressed serious concerns over the recently proposed UN Convention Against Cybercrime, which the company says lacks strong protections for good-faith security researchers. 

In an open letter sent to Secretary of State Antony Blinken, Attorney General Merrick Garland, and United States Agency for International Development Administrator Samantha Power, Ilona Cohen, chief legal and policy officer for HackerOne, highlighted the role independent security has in the industry, and laments the treaty’s failure to align with U.S. policies that shield good-faith efforts from prosecution.

While the convention aims to enhance international collaboration against cybercriminals, Cohen writes that its vague terminology could inadvertently suppress ethical research activities. Nations with underdeveloped cybercrime laws might adopt the treaty’s language, potentially leading to increased risks for researchers, especially those operating in authoritarian regimes. Cohen warns that without explicit protections, countries may misapply the treaty, squeezing the space for legitimate security work.

The company urges the United States to push for revisions that explicitly safeguard ethical hacking within the treaty text or, at a minimum, to encourage other nations to embed these protections into their own legal systems. As a possible strategy, HackerOne suggests incorporating these protections into the cybersecurity capacity-building efforts led by U.S. agencies or conditioning aid on the assurance that governments will not prosecute ethical researchers.

“Taking these and other steps to protect good faith security research will help ensure that policymakers around the world are aware of the treaty’s implications for security research and encourage them to adapt their legal frameworks to support, rather than hinder, ethical hacking,” Cohen wrote. “By doing so, nations can foster a cooperative environment where the essential work of security researchers is valued and encouraged, ultimately strengthening our collective defenses against cyber threats.” 

HackerOne is a renowned platform that connects businesses with a global community of ethical hackers to help identify and fix security vulnerabilities. It facilitates bug bounty programs and vulnerability disclosure, allowing organizations to strengthen their security posture by tapping into the expertise of thousands of security researchers. It has set up and maintained bug bounty programs for the U.S. Department of Defense, Spotify and Uber, among many other organizations. 

The treaty has advanced toward a General Assembly vote, despite facing criticism from tech companies, human rights advocates, and some U.S. Congress members. A full vote will take place at a UN General Assembly meeting in December. 

You can read the full letter below.