New Policy Group Wants to Improve Cybersecurity Disclosure, Support Researchers

Security researchers who report vulnerabilities run the risk of either being slapped with legal sanctions to suppress disclosure or getting caught up in a legal battle punishing them for finding the flaws in the first place.

Even though the US Department of Justice announced last year that it won't prosecute cybersecurity researchers engaged in "good faith" vulnerability research and disclosure for violating the Computer Fraud and Abuse Act (CFAA), researchers still risk criminal and civil actions from states, foreign governments, and corporations. The nonprofit Center for Cybersecurity Policy & Law is pushing back with two coordinated initiatives – the Hacking Policy Council and the Security Legal Research Fund – to protect individuals who discover vulnerabilities that could potentially harm users if exploited.

The formation of the Hacking Policy Council and Security Legal Defense Fund underscores how critical it is to identify and disclose vulnerabilities to prevent malicious actors from gaining access to software, infrastructure, and data, says Futurum Research senior analyst Krista Macomber.

"The intention is to create a climate that encourages collaboration and information sharing and protects folks working diligently to expose potential threats," Macomber says.

The Hacking Policy Council plans to advocate and lobby for better vulnerability disclosure regulations and removing outdated laws. Founding member organizations include Google, Bugcrowd, HackerOne, Intel, Intigriti, and Luta Security. The Security Legal Research Fund, as of now, will provide only funding.

"The defense fund does not plan to provide direct legal representation to researchers at this time," said Harley Geiger, an attorney with Venable and coordinator of the two new groups, during the press conference announcing the two initiatives. "Instead, it will help provide funding to individuals who are facing legal threats due to good faith security research and vulnerability disclosure."

Plight of Ethical Hackers

James Dempsey, one of the Security Legal Research Fund's board members and a lecturer at the University of California at Berkeley Law and Stanford University, noted that independent researchers have long faced legal jeopardy for their efforts. For example, Dempsey pointed to a well-known case in 2008 when a judge issued an injunction that prevented a team of MIT students from presenting at the DEF CON security conference about vulnerabilities they discovered in Massachusetts Bay Transit Authority's fare card system.

Dempsey pointed to a more recent case in 2021 when Missouri Governor Mike Parson threatened to prosecute reporters at the St. Louis Post-Dispatch after the newspaper published an article exposing vulnerabilities on a state agency's website. But Missouri prosecutors ultimately declined to file charges.

"To get that letter on the letterhead threatening legal action can be very intimidating, and that's what we want to help people overcome," Dempsey said.

"This issue has so much impact that I think it really merits a group that is tightly focused on this issue and can bring that expertise to policymakers to help them make more informed policy," said Charley Snyder, Google's head of security policy.

The Hacking Policy Council will initially work to lobby for changes in laws and regulations in the US and, ultimately, worldwide. Luta Security founder and CEO Katie Moussouris emphasized that many regulations are outdated.

"Right now we have a lot of regulations that were, frankly, written in a different era when there was not a nuanced understanding of the hand-in-hand relationship between vulnerability discovery and malicious hacking prevention," she said.

Complicating matters is the global disparity in regulations and policies, which sometimes require disclosure to a government, either in tandem or before notifying affected users and the public, Moussouris noted. A provision in the Cyber Resilience Act, proposed by the European Commission, would require anyone in the EU discovering a vulnerability to disclose it within 24 hours.

"As written, it will be as effective for security as GDPR was for privacy; it will have that much of an impact," Venable's Geiger said.

Adding to the complexity, Geiger noted that the current definition doesn't distinguish between good faith security research and malicious criminals.

"There is currently no provision for making sure that the vulnerability, before it is disclosed, is patched," he said. "Part of the concern with the CRA is that you then end up EU-wide with a rolling list of software and vulnerabilities that may not yet be mitigated, shared with perhaps dozens of EU government agencies."

Legal Aid for Security Researchers

The Security Legal Research Fund will help good faith security researchers and penetration testers facing cease-and-desist letters, lawsuits, fines, and prosecution for disclosing vulnerabilities, said Tim Willis, head of Google's Project Zero team, during the media briefing.

"My hope in the long term for this fund is that the chilling effect that is currently felt by security researchers is reversed over time. One thing that all these parties can agree on is that users lose when things don't get fixed quickly," Willis said.

Geiger emphasized that the effort would focus on protecting ethical hackers who only use their research to protect users.

"The fund is not looking at helping good faith security researchers who are sued for something like extortion if they, in fact, committed extortion," Geiger said. "It will be for the act of good faith security research or the act of vulnerability disclosure connected with that good faith security research."

Amie Stepanovich, VP of US policy at the Future of Privacy Forum and a Security Research Legal Defense Fund board member, said each request will be considered based on the scope and merit of the case and the applicant's financial resources.

"We are going to be targeting funds to where they're needed most," Stepanovich said. "We want to be able to help as many people as possible in as dire need as possible, and so we will be making decisions about amounts based on the case and the need and what the actual factual circumstances are."

Google is seeding the Security Legal Research Fund with an undisclosed amount, but the fund would be operated by the Center for Cybersecurity Policy & Law to ensure no one company has influence or receives favor over how the funds are used. Willis urged other companies to also contribute to the fund.

Omdia analyst Curtis Franklin believes the fund and counsel further validate and support independent researchers' role in finding vulnerabilities.

"Independent researchers are a necessary part of our security infrastructure right now, and I think it's good that this is being recognized and that these companies want to take the steps of having more formal legal recognition of that," Franklin says. "Our systems are now sufficiently complex that no one company can find all of the vulnerabilities that exist and all of the interactions that exist in their systems, either before or after they're released."