A coalition of cybersecurity companies and organizations has launched initiatives aimed at encouraging ethical hackers to detect and report vulnerabilities without fear of legal repercussions. Google, together with several IB companies, announced the establishment of a legal protection fund to support cybersecurity researchers and penetration testers. The fund will be managed by the non-profit Center for Cybersecurity Policy and Law, which will provide legal advice to specialists who may face unfair persecution for discovering vulnerabilities.
In addition, Google and its partners have established the Hacking Policy Council, which will lobby for reasonable regulations governing the disclosure of vulnerability information. The founding members of the Council are Hackerone, Bugcrowd, Intel, Intigriti, and Luta Security.
The authors of the proposed initiatives argue that current conditions incentivize unethical behavior. Vulnerabilities are often discovered by unscrupulous actors who may use them to exploit the systems they target. Meanwhile, ethical hackers and researchers face too many barriers and risks when seeking to disclose vulnerabilities.
Eric Goldstein, Executive Assistant Director of Cybersecurity at the Cybersecurity and Infrastructure Security Agency (CISA), believes that this situation must change. He argues that “there are only 2 options” when it comes to vulnerabilities: either they will be found by a conscientious or an unethical researcher.
The Hacking Policy Council aims to defend policies that encourage the discovery and reporting of vulnerabilities while protecting researchers from unfair treatment. Ilona Cohen, Chief Policy and Legal Officer at Hackerone, said the group seeks to ensure that politicians and regulations support best practices for vulnerability disclosure.
By supporting ethical hacking and vulnerability disclosure, the initiatives launched by the cybersecurity coalition hope to improve security for consumers, enterprises, and society at large.
Sources:
– https://www.securityweek.com/google-partners-create-legal-fund-support-hackers-who-find-flaws