Legal and lobbying aid arrives for cybersecurity researchers
Security researchers have a new set of allies in Washington to help defend against potential legal battles over the flaws they uncover.
Driving the news: A group of tech companies, security vendors and nonprofits unveiled two new Google-backed initiatives Thursday aimed at protecting "good faith" security researchers from legal threats and giving them a voice in policy discussions.
- Google, Intel, Luta Security, HackerOne, BugCrowd and Intigriti have formed the Hacking Policy Council, a policy group that will advocate worldwide for laws and regulations that promote best practices for vulnerability disclosure.
- Google also provided an unspecified amount of seed funding to stand up the Security Research Legal Defense Fund, which will provide monetary aid to researchers who face legal threats after reporting a flaw to a company.
The big picture: Security researchers often probe for exploitable bugs in online services and then report those flaws to the companies behind the products with hopes they'll release a fix.
- But not all companies embrace those reports: Some downplay the impact these bugs could have. Others might sue the researcher who disclosed the bug for violating anti-hacking laws or copyright infringement.
- Those legal threats often send a chilling message to researchers that they should stop doing this work — or risk paying for a lengthy legal fight.
Between the lines: The new programs hope to bridge gaps in the industry's support for security researchers, Tim Willis, head of Google's Project Zero initiative, told Axios.
- "What we really want to see is this holistic process change," Willis said. "We need to make sure that companies aren't just painting over the crack in the wall, and that they actually take the time to think about the problem and work towards a solution."
- Katie Moussouris, founder and CEO of Luta Security, told Axios she hopes the programs will instead create a "warming effect" between researchers and companies.
Details: Applicants for the Security Research Legal Defense Fund will have to demonstrate a financial need for the legal aid and will have to prove that they meet the fund's definition of a good-faith security researcher.
- The fund, which is set up as a standalone nonprofit and has three independent board members, is also seeking more funding from other companies.
- Meanwhile, the Hacking Policy Council has met with EU officials to discuss changes to the proposed Cyber Resilience Act, and they're pushing to see changes in U.S. trade policy to ensure vulnerability disclosures can happen across borders.
The intrigue: Both the Hacking Policy Council and the legal defense fund will face unique challenges navigating how to support and represent the vast hacker community.
- The council plans to focus on community engagement to ensure that well-intentioned hackers feel properly represented in its policy recommendations, Harley Geiger, a cybersecurity attorney at Venable and lead coordinator for the two new organizations, told Axios.
- The legal defense fund will need to do a lot of research into a potential case to ensure it isn't being duped by malicious hackers before doling out funds.
What's next: The Hacking Policy Council plans to bring on additional organizations as members, Geiger added.
- Meanwhile, the legal defense fund is focusing on raising awareness about the program and is now open to accepting new cases.
Sign up for Axios’ cybersecurity newsletter Codebook here