Cybersecurity Advisors Network (CyAN), a Paris-based global not-for-profit association representing cybersecurity professionals in 22 countries, has announced the formation of a global working group to secure legal protections for bona fide zero-day researchers, who often get threats from the vendors whose vulnerabilities they’ve disclosed.
Ethical or so-called “white hat” zero-day researchers, as Peter Coroneos, CyAN international Vice President and leader of its new “Zero-Day Legislative Project” has explained to The Register, usually receive a “cease and desist or threatening letter” from the vendor involving copyright and/or criminal laws that govern access or interference with computer systems. The Project has been set up to define laws that could protect threat researchers and replace outdated national legislations that stand in the way of making the most of threat-hunters’ efforts.
Cyber threat hunters are information security professionals who proactively detect and neutralise advanced threats that have evaded automated security solutions. Typically, large companies employ their own team of threat hunters or run bug bounty programs that incentivise security researchers to submit vulnerability reports. In sharp contrast to this, however, some other businesses regard the unsolicited identification of holes in their cyber defences as an attack. Enacting laws protecting zero-day researchers – as these information security experts are also often called – across different legislations could ensure that their potential is leveraged and none of them, disgruntled by vulnerability-owner businesses’ responses, switches to the cyber criminals’ side.
The Zero-Day Legislative Project is endorsed by some high-profile cyber-security leaders such as Casey Ellis, the founder, chair, and CTO of crowdsourced bug-hunting platform Bugcrowd; the founder of Microsoft’s vulnerability threat efforts, Katie Moussouris; and former UK National Cyber Security Centre CEO Ciaran Martin. Coroneos has also pointed to a February 2021 policy document from the OECD that calls for the development of legal frameworks to protect threat researchers.
In the UK, information security professionals and other experts have already called for the overhaul of the more than three-decade old Computer Misuse Act, which has failed to accommodate the shifting landscape of the fast-paced digital environment and stands in the way of progress in several different aspects.