A group of companies, including Google, HackerOne, Luta Security, and Bugcrowd, is joining forces to form a new group that will advocate for better policies and regulations around vulnerability management and disclosure and calling on other companies to be more transparent about when vulnerabilities in their products have been exploited.
The new group, called the Hacking Policy Council, is a unique effort to bring the hacker mindset and ethos to the public policy world to help ensure that any current or future laws or policies don’t undermine user security or harm researchers. The council is an initiative of the Center for Cybersecurity Policy and Law and also includes Intel and Intigriti. The council focus not just on current or future legislative proposals in the United States and around the world, but also on working to effect change of archaic regulations and laws that were put in place long before the rise of the current security research community.
“We have a lot of regulations that were written in a different era when there wasn’t a nuanced understanding of the difference between vulnerability disclosure and malicious hacking. It’s very difficult to get these regulations unwound,” said Katie Moussouris, CEO and founder of Luta Security, and a member pf the new council.
“We also have a global evolving regulatory regime which especially around vulnerability disclosure is making things more complicated, like requiring disclosure to a government. This council has a role not only in helping to focus on some of the ambiguous and outdated legislation and lobbying as a force against the wrong direction and inviting governments to know about unpatched vulnerabilities ahead of time.”
China has a law that requires researchers to disclose a newly discovered vulnerability to the government immediately, even before notifying affected vendors. There is a somewhat similar proposal in the European Union and experts worry that those regulations could prove damaging to the security of the Internet as a whole.
“Security research is the Internet's immune system in a lot of ways and what this council is trying to do is fix the Internet’s autoimmune problem,” said Casey Ellis, founder and CTO of Bugcrowd.
In addition, Google is providing seed money for a legal defense fund for security researchers who are acting in good faith and do not otherwise have access to legal counsel. That has been a serious issue for many security researchers, especially those who may be outside the United States or those who are not quite as experienced or versed in the way some companies handle vulnerability submissions. Google did not specify how much money it was committing to start the Security Research Legal Defense Fund, but said that it will quadruple and bug bounty rewards that researchers choose to donate to the fund. Three independent board members will over see the fund, which also will be housed at the Center for Cybersecurity Policy and Law.
“Ultimately it would not be a horrible thing if the fund never got used."
“My hope in the long term is that the chilling effect currently felt by researchers is reversed over time,” said Tim Willis, head of Google’s Project Zero research team.
The fund’s board will decide on each individual application for funds from a researcher and determine whether it meets the eligibility requirements and is in line with the fund’s goals. The board members include Amie Stepanovich, vice president of U.S. policy at the Future of Privacy Forum, Jim Dempsey, a senior policy advisor at the Stanford Cyber Policy Center, and Kurt Opsahl, the founder of Filecoin.
“Ultimately it would not be a horrible thing if the fund never got used. You can’t set up a fund like this without hoping that one day it doesn’t have a reason to exist any longer,” Stepanovich said.
As part of the new initiatives, Google also is committing to publicly disclose whenever it has evidence that one of its products has been exploited and is encouraging other vendors to follow suit.
“If a vendor discovers a vulnerability being actively exploited (i.e. used by attackers to cause harm to users or organizations), it is not enough to just fix the vulnerability. Vendors should make users, supply chain partners, and the community aware of the exploitation and notify victims in a timely manner through public disclosure and direct outreach where possible,” Google said in a new white paper.
“Making users aware of exploitation is especially important and time-sensitive when there are mitigations users can explicitly take action on to protect themselves against the threat and the disclosure itself does not give attackers a significant advantage over defenders with respect to further leveraging the vulnerability. Additional details of vulnerabilities and exploits should be shared to improve researcher knowledge and defenses, weighing the balance of transparency and defensive benefit against the risk to users who are yet to patch.”
The overarching goal of all of the new initiatives is to make things safer for both technology users and the researchers who work to find and bring to light security vulnerabilities.
"We should be embracing these reports for the gifts that they are," Willis said.