Katie Moussouris
On the topic of how the proposed updates to the Wassenaar Arrangement -- that limit the export of "intrusion software" -- would inhibit the security professionals who need to protect against zero-day exploits, but fail to inhibit those who create such exploits, Katie Moussouris, chief policy officer of HackerOne said:
"Hacking Team was such a treasure trove of information. But what is especially interesting in terms of export controls is that they have lawyers, they did consult with their lawyers, they have a means to apply for export licenses in their own country, and there are a number of ways they could legally obtain export licenses for their software or use resellers that reside in other countries.
"So the folks that were targeted, who were making the software that was targeted by this regulation, have multiple means of getting around it, whereas the defense end of things and the folks who are not building this type of software but unfortunately are caught in that language dragnet really are the ones that are suffering, and as a result, defense of the Internet as a whole is suffering."
(See also Moussouris' blog on Dark Reading, "Mad World: The Truth About Bug Bounties," a response to Oracle CSO Mary Ann Davidson's short-lived rant about reverse engineering and vulnerability disclosure.)