On Thursday, the Hacking Policy Council was launched by the Center for Cybersecurity Policy and Law, an information security think tank, in collaboration with various technology companies. The council aims to enhance security research and vulnerability disclosure policy.
The CCPL has a webpage dedicated to the council’s initiative, which seeks to make technology more transparent and secure by promoting best practices for vulnerability disclosure and management. The council also aims to encourage good faith security research, independent repair for security, and penetration testing.
Objectives for a better cyberspace
The council’s website outlines four primary objectives:
- to establish a more beneficial legal environment for vulnerability disclosure,
- bug bounties,
- good faith security research, and
- related activities; to enhance collaboration between the security community, policymakers, and businesses;
- to prevent new limitations on ethical security research;
- to bolster organizations’ resilience through effective vulnerability disclosure policies and security researcher engagement.
The founding members of the council include Intel, Google, HackerOne, Bugcrowd, Luta Security, and Intigrity. The CCPL is a nonprofit organization established by Venable LLP, a law firm, in 2017 to create practices and policies that enhance cybersecurity globally.
Ilona Cohen, HackerOne’s chief legal and policy officer, expressed enthusiasm for the council, stating that it recognizes the vital role ethical hackers play in the security ecosystem.
Google says: “While the notoriety of zero-day vulnerabilities typically makes headlines, risks remain even after they’re known and fixed, which is the real story,” the company said in an announcement. “Those risks span everything from lag time in OEM adoption, patch testing pain points, end user update issues, and more.”
Research and vulnerability disclosure
Vulnerability reporting practices have faced frequent criticism from researchers, particularly concerning how vendors or third-party bug bounty programs handle vulnerability submissions, as well as inconsistent communication with researchers.
In addition, researchers encounter obstacles when it comes to vulnerability disclosure.
- Many bug bounty programs prohibit researchers from publicly sharing their research on the flaws they submit to the programs, which is considered controversial.
- This is because non-disclosure agreements prevent researchers from receiving recognition for their submissions, and it prevents the public from being aware of serious issues that pose a risk to customers and users.
On Tuesday, OpenAI, an artificial intelligence research company, launched a bug bounty program that prohibits researchers from publicly disclosing vulnerability submissions to the program.
According to Katie Moussouris, the founder and CEO of Luta Security, “this decision was “shortsighted” and does not benefit either OpenAI or the public.”
Concluding with thoughts from experts
Public disclosure is the right and significant step towards creating an environment that promotes cyber security and vulnerability. The only thing needed is maturity while providing security vulnerability disclosures and services.
Coordinator of hacking policy Geiger said that “long term, he hopes to see greater adoption of vulnerability disclosure and management best practices.”
“That includes greater integration of vulnerability disclosure policies into organizational security programs, as well as fewer regulations that deviate from standards and best practices — such as regulations that would require businesses to disclose unpatched vulnerabilities to government agencies, or laws that fail to distinguish between malicious criminal activity and good faith security research.
