Hacker-friendly laws: Paris association wants to protect security researchers

Share your love

Security researcher is often a rather ungrateful job: some companies either do not react at all to the reporting of security gaps in their systems, or they threaten a lawyer and lawsuit immediately instead of working productively and quickly to secure their systems. Although many companies are now offering bug bounty programs and are extremely positive about security researchers and their efforts in public, the reality behind the scenes is often still different. In particular, independent security researchers without a large company or organization behind them are still often faced with attempts at intimidation and the threat of legal action. A non-profit interest group of security researchers is now working with a global coalition of partners to provide legal protection for such independent white hat hackers.

Like the Paris-based Cybersecurity Advisors Network (CyAN) announced now, the aim of the initiative is to bring about changes in the law. These are intended to protect security researchers from legal consequences if they hack into third-party systems in order to track down security gaps and – in the public interest – report them to those responsible before the vulnerabilities are misused. The Zero Day Legislative Project, as the new working group calls itself, wants to work with security researchers to develop model laws that lobbyists can then bring into parliaments to create local legal bases for the protection of white hat hackers.

The initiative is supported, among others, by the well-known security researcher Katie Moussouris, who was instrumental in building a constructive collaboration with the hacker community at Microsoft, and Casey Ellis, who founded the crowdsource bug bounty platform Bugcrowd. The French government has also promised to support the CyAN initiative. And also the OECD, the Organization for Economic Cooperation and Development, signed up at the beginning of the year pronounced for the development of similar model laws to protect security researchers.

Read Also   Proxmox VE 7.1: Seamlessly virtualize Windows 11 and TPM 2.0

According to the head of the Zero Day Legislative Project, Peter Coroneos, the idea of ​​founding such a working group arose from a survey at a virtual meeting of over 150 security researchers. They have identified legal threats as one of the biggest problems preventing them from doing their job. Coroneos told the British news site The Register in a conversation. At CyAN, they were initially surprised that this was still a problem these days. And then decided to do something about it. “Researchers often find a weak point and inform the manufacturer. The next thing they receive is a cease and desist letter or a threatening letter,” says Coroneos.

at heise Security In the past we often had to deal with security researchers who had received one or the other legal threat and then turned to us. Anyone who (so far) has not been affected wants to get an impression of such threatening letters, for example, in a corresponding Collection on GitHub find it.


Article Source

Share your love