Austin ethical hacker group makes reporting security bugs easier

A group of Austin-based, ethical hackers have become the first hacking collective to join a formal, global reporting program for disclosing software flaws.

Why it matters: Not all hackers are malicious or actively looking to exploit the security vulnerabilities they uncover. But the process of reporting the bugs they find is often arduous and, in some cases, full of legal headaches.

• Because of that, not all hackers end up reporting the bugs they find. Many vendors might not respond, don't understand the problem or might even issue cease-and-desist letters.

Driving the news: Austin Hackers Anonymous (AHA!) joined the internationally recognized CVE program earlier this week.

• In doing so, the group became what's known as a CVE Numbering Authority (CNA), which gives them more muscle when approaching companies about the security flaws they find while tinkering around in their free time.

Zoom out: Most major cybersecurity vendors participate in the program, allowing everyone to use the same standardized process of labeling and releasing details about new security vulnerabilities.

• For example, when vendors or researchers refer to the widespread Log4j vulnerability, they use the number CVE-2021-44228 to make sure they're all responding to the exact same issue.

The big picture: AHA! is now the first unorganized hacker collective in the country to be a CNA — giving anyone who presents at one of the group's meetings a clear way to register, report and publish the vulnerabilities they uncover.

• "I’ve been spending a lot of my career lately on getting vendors on board with this whole vulnerability-disclosure religion," Tod Beardsley, one of the founders of AHA!, told Axios.
• "Then it occurred to me that I sure need to do a lot more work on educating hackers on how this works, too," he added.

How it works: On the last Thursday of each month, AHA! members present their latest security discoveries in short, 10-minute presentations in the back room of a local bar.

• After, if presenters want to report their findings to the vendor, Beardsley kickstarts the process for the vulnerability at the meeting and discusses with the hacker if they want their name attached or if they want to remain anonymous.
• Beardsley expects he'll be the one to discuss the flaw with the vendor given his experience running another CNA program for his day job with security firm Rapid7.

The intrigue: Before the group became a CNA, AHA! members weren't always motivated to navigate the process on their own, Beardsley told Axios.

• Most members are just finding these vulnerabilities while messing with products for fun in their free time.
• And many companies are either quick to dismiss the claims from individual hackers disclosing a problem or are intimidated when a hacker approaches out of the blue about something they found.
• "The first response is often, 'Are you trying to sue us? Are you trying to extort us? Are you trying to sell us something?'" Beardsley said.
• Reporting through a recognized CNA program, rather than a solo hacker, gives these reports more legitimacy.

Between the lines: Austin is a burgeoning tech hub with plenty of talented hackers who discover major flaws all the time.

• Beardsley is hopeful the new AHA! program will lead to more bugs being reported and patched.

What's next: The first meeting where AHA! members can start registering their vulnerabilities is Feb. 23, and Beardsley said it usually takes a couple of months to work with companies to respond to the vulnerabilities before publication.

Sign up for Axios’ cybersecurity newsletter Codebook here.