Why legal threats to threat hunters need to stop

Why legal threats to threat hunters need to stop

Cybersecurity Advisors Network (CyAN), a Paris-based global not-for-profit association representing cybersecurity professionals in 22 countries, has announced the formation of a global working group to secure legal protections for bona fide zero-day researchers, who often get threats from the vendors whose vulnerabilities they’ve disclosed.

Ethical or so-called “white hat” zero-day researchers, as Peter Coroneos, CyAN international Vice President and leader of its new “Zero-Day Legislative Project” has explained to The Register, usually receive a “cease and desist or threatening letter” from the vendor involving copyright and/or criminal laws that govern access or interference with computer systems. The Project has been set up to define laws that could protect threat researchers and replace outdated national legislations that stand in the way of making the most of threat-hunters’ efforts.

Cyber threat hunters are information security professionals who proactively detect and neutralise advanced threats that have evaded automated security solutions. Typically, large companies employ their own team of threat hunters or run bug bounty programs that incentivise security researchers to submit vulnerability reports. In sharp contrast to this, however, some other businesses regard the unsolicited identification of holes in their cyber defences as an attack. Enacting laws protecting zero-day researchers – as these information security experts are also often called – across different legislations could ensure that their potential is leveraged and none of them, disgruntled by vulnerability-owner businesses’ responses, switches to the cyber criminals’ side.

The Zero-Day Legislative Project is endorsed by some high-profile cyber-security leaders such as Casey Ellis, the founder, chair, and CTO of crowdsourced bug-hunting platform Bugcrowd; the founder of Microsoft’s vulnerability threat efforts, Katie Moussouris; and former UK National Cyber Security Centre CEO Ciaran Martin. Coroneos has also pointed to a February 2021 policy document from the OECD that calls for the development of legal frameworks to protect threat researchers.

In the UK, information security professionals and other experts have already called for the overhaul of the more than three-decade old Computer Misuse Act, which has failed to accommodate the shifting landscape of the fast-paced digital environment and stands in the way of progress in several different aspects.

Copyright Lyonsdown Limited 2021

Top Articles

Is your security in need of an update this Cybersecurity Awareness month?

Cyber security experts tell teiss about the evolving threat landscape and how organisations can bolster their cyber security defenses

A new case for end-to-end encryption

How a hacker group got hold of calling records and text messages deploying highly sophisticated tools that show signs of originating in China

Telcos in Europe put muscle behind firewalls as SMS grows

Messaging is set to be one of the biggest traffic sources for telcos worldwide prompting them to protect loss of revenue to Grey Route practices 

Related Articles

[s2Member-Login login_redirect=”https://www.teiss.co.uk” /]