Highlights:

  • According to the Center for Cybersecurity Policy and Law, out-of-date legislation imposes limitations and legal responsibilities on security procedures.
  • The official disclosure coincided with Google’s publication of a white paper outlining potential improvements to the ecosystem for vulnerability management.                            

Aiming to improve the legal, policy, and commercial environments for honest security research and vulnerability disclosure, the Center for Cybersecurity Policy and Law unveiled two new initiatives.

The Hacking Policy Council, a brand-new organization, is the first effort. It intends to promote best practices for vulnerability disclosure and management to make the technology safer and more open. The council will also promote legislative and regulatory changes to empower impartial security research, penetration testing, and independent security repair.

According to the Center for Cybersecurity Policy and Law, out-of-date legislation imposes limitations and legal responsibilities on security procedures. Additionally, it claims that evolving legal guidelines for managing and disclosing vulnerabilities are not always clear or in the best interests of security.

The Hacking Policy Council’s main objectives include

  • Fostering collaboration between the security, business, and policymaking communities
  • Preventing new legal restrictions on security research and related fields
  • Improving the legal environment for vulnerability disclosure and management
  • Strengthening organizational resilience through effective implementation of vulnerability disclosure policies and security researcher engagement

The council’s founding members are Google LLC, Bugcrowd Inc., HackerOne Inc., Intigriti NV, Intel Corp., and Luta Security Inc. Ari Schwartz, Center for Cybersecurity Policy and Law Coordinator, stated, “This is an all-star team of substantive experts with global reach and deep ties to the security and policymaking communities.”

The Security Research Legal Defense Fund, the second initiative, has been established as a separate 501(c) (3) nonprofit organization. In cases promoting cybersecurity for the public’s benefit, it will assist in funding legal representation for those who face legal issues due to honest security research and vulnerability disclosure.

The official disclosure coincided with Google’s publication of a white paper outlining potential improvements to the ecosystem for vulnerability management. Google contributed to the Hacking Policy Group’s creation and gave the Security Research Legal Defense Fund seed money.

Bugcrowd’s CEO, Dave Gerry, reported that his company wants to see a business and regulatory environment that supports consumer, security researcher, and enterprise protection and increases the likelihood that vulnerabilities will be found and fixed before threat actors have a chance to exploit them.

“We believe that promoting best practices in these areas will help protect consumers, enterprises, and society by increasing the likelihood that vulnerabilities will be mitigated before malicious actors exploit them. By leveraging the collective creativity of the hacker community, organizations can bridge the gap between the need for better security practices and their lack of in-house talent,” Dave Gerry mentioned.

Gerry mentioned that unaddressed susceptibilities put the security of users and organizations at risk. “It’s my hope that this council can help bring clarity on vulnerability disclosure to set security standards that currently encourage beneficial cybersecurity activities,” he added.