Zero-day hunters seek laws to prevent vendors suing them for helping out and doing their jobs

2021-10-11 22:01

Cybersecurity Advisors Network, the Paris-based body that represents infosec pros, has created a new working group to advocate for legislation that stops vendors from suing when security researchers show them zero-day bugs in their kit.

Peter Coroneos, CyAN international veep and leader of its new "Zero Day Legislative Project" told The Register the organisation recently staged a virtual meeting of 150-plus security researchers and the topic of aggressive legal responses to disclosures was high on their list of worries.

Vendors generally profess that they welcome researchers' approaches, and many now operate bug bounty programs or formal disclosure initiatives to ensure they can handle claims of new holes with appropriate speed.

The Project will work to define model laws that protect threat researchers, and then encourage members around the world to lobby for their introduction in different jurisdictions.

Those efforts have endorsed by Casey Ellis, the founder, chair, and CTO of crowdsourced bug-hunting platform Bugcrowd; the founder of Microsoft's vulnerability threat efforts, Katie Moussouris; and former UK National Cyber Security Centre CEO Ciaran Martin.

Coroneos also pointed to a February 2021 policy document from the OECD that calls for development of legal frameworks to protect threat researchers.

News URL

https://go.theregister.com/feed/www.theregister.com/2021/10/11/cyan_zero_day_legislative_project/

#vendors #zeroday