A coalition of cybersecurity companies and organizations unveiled several initiatives on Thursday intended to encourage ethical hackers to discover and disclose vulnerabilities, and to protect them from legal trouble if they do so.

Google and other cybersecurity-focused organizations announced the launch of a legal defense fund to support security researchers and pentesters involved in ethical hacking, as well as an advocacy group, the Hacking Policy Council, which will lobby for sound regulations around vulnerability disclosure.

Eric Goldstein, executive assistant director for cybersecurity at CISA, said at a Thursday press conference “only two options” exist for any given vulnerability: a “good faith actor or a bad faith actor will find it.”

“So how do we in the cybersecurity community stack the deck? How do we shift the balance of the scales to increase the likelihood that a good faith actor finds a vulnerability before a bad faith actor does?” he asked.

“Today, in many cases, this deck is stacked in the opposite direction. There are minimal constraints limiting the freedom of operation of bad faith actors and there's too many barriers, too much fear, too many disincentives. We have to shift that balance.”

Goldstein noted that the Justice Department recently amended its charging policy to explicitly discourage going after ethical security researchers. But he added that there is more that can be done to make sure researchers have “the right policy, legal and regulatory environment such that good faith actors feel like there is a safe space for them.”

Legal defense fund

The Security Research Legal Defense Fund will be operated by the nonprofit Center for Cybersecurity Policy and Law using initial seed funding from Google. It will provide legal guidance and, if necessary, counsel to security researchers and pentesters.

Stanford professor James Dempsey – a founding member of the Security Research Legal Defense Fund – said in the press conference that the fund is being created to help security researchers who are unfairly targeted for discovering vulnerabilities or breaches.

Dempsey referenced several examples, including two cases where state government bodies sued researchers or journalists for their work.

Last year, Missouri Governor Mike Parson spent months going after St. Louis Post-Dispatch reporter Josh Renaud for his work discovering that the Social Security numbers of school teachers, administrators and counselors across Missouri were vulnerable to public exposure due to flaws on a website maintained by the state's Department of Elementary and Secondary Education.

Dempsey also mentioned a case in 2008 where the Massachusetts Bay Transportation Authority filed a suit in federal court against three Massachusetts Institute of Technology students who discovered vulnerabilities in payment systems used in the state’s mass transit system.

Both were situations where the new fund could have helped provide assistance to those being targeted for their work, Dempsey explained.

“I've seen the power that companies and organizations can have over security researchers,” said Tim Willis, head of Google’s vulnerability hunting team Project Zero. “Sometimes that power is used to stifle security research. Cease and desist letters are issued by companies mistakenly believing that they are under some form of attack, or worse, issued intentionally to silence security researchers from sharing their findings.”

He went on to explain that even companies that do have bug bounty programs at times force researchers to wait extended periods of time before allowing them to publicly disclose issues – often “using it as a means to buy a prolonged silence instead of using it to reward security researchers.”

“Let's not shoot the messenger. Instead, let's embrace the messenger, embrace the message that they bring, which will make us all safer in the end,” he said.

Hacking Policy Council

Google said it is joining several other cybersecurity companies as founding members of the Hacking Policy Council, a group that will engage in “focused advocacy” to ensure new policies and regulations support best practices for vulnerability management and disclosure.

The other founding members of the group include HackerOne, Bugcrowd, Intel, Intigriti, and Luta Security.

“As the threat landscape continues to evolve, policymakers must consider how the hacking community can help organizations meet this challenge. The Council aims to advocate for policy outcomes that will best enable vulnerability discovery and disclosure and protect the hackers working to improve the security of the products and systems we all use,” said Ilona Cohen, chief policy and legal officer at HackerOne.

Google explained that the cybersecurity industry for the first time is seeing laws – both passed and proposed – requiring the private disclosure of vulnerabilities to governments under certain circumstances.

In February, Belgium put in place a new vulnerability reporting framework, making it the fourth European country to give cybersecurity researchers a way to legally report software and hardware bugs to organizations and the government.

The Netherlands, France and Lithuania all have similar policies in place. Last year, the U.S. updated its own rules around vulnerability reporting in an effort to protect researchers who look for bugs with no plan to exploit them maliciously.

In a statement, HackerOne said despite some new laws, “misinformed and outdated notions about vulnerability disclosure persist, and some organizations still struggle to effectively adopt best practices like vulnerability disclosure programs (VDPs).”

BugCrowd CEO Dave Gerry added that better vulnerability reporting practices will help protect consumers, enterprises, and society by increasing the likelihood that vulnerabilities will be mitigated before malicious actors exploit them.

“By leveraging the collective creativity of the hacker community, organizations can bridge the gap between the need for better security practices and their lack of in-house talent,” he said.

“Unaddressed vulnerabilities put an organization's security at risk, and, in turn, the personal data of millions of users annually. It's my hope that this council can help bring clarity on vulnerability disclosure to set security standards that currently encourage beneficial cybersecurity activities.”