Why legal threats to threat hunters need to stop

Why legal threats to threat hunters need to stop

Cybersecurity Advisors Network (CyAN), a Paris-based global not-for-profit association representing cybersecurity professionals in 22 countries, has announced the formation of a global working group to secure legal protections for bona fide zero-day researchers, who often get threats from the vendors whose vulnerabilities they’ve disclosed.

Ethical or so-called “white hat” zero-day researchers, as Peter Coroneos, CyAN international Vice President and leader of its new “Zero-Day Legislative Project” has explained to The Register, usually receive a “cease and desist or threatening letter” from the vendor involving copyright and/or criminal laws that govern access or interference with computer systems. The Project has been set up to define laws that could protect threat researchers and replace outdated national legislations that stand in the way of making the most of threat-hunters’ efforts.

Cyber threat hunters are information security professionals who proactively detect and neutralise advanced threats that have evaded automated security solutions. Typically, large companies employ their own team of threat hunters or run bug bounty programs that incentivise security researchers to submit vulnerability reports. In sharp contrast to this, however, some other businesses regard the unsolicited identification of holes in their cyber defences as an attack. Enacting laws protecting zero-day researchers – as these information security experts are also often called – across different legislations could ensure that their potential is leveraged and none of them, disgruntled by vulnerability-owner businesses’ responses, switches to the cyber criminals’ side.

The Zero-Day Legislative Project is endorsed by some high-profile cyber-security leaders such as Casey Ellis, the founder, chair, and CTO of crowdsourced bug-hunting platform Bugcrowd; the founder of Microsoft’s vulnerability threat efforts, Katie Moussouris; and former UK National Cyber Security Centre CEO Ciaran Martin. Coroneos has also pointed to a February 2021 policy document from the OECD that calls for the development of legal frameworks to protect threat researchers.

In the UK, information security professionals and other experts have already called for the overhaul of the more than three-decade old Computer Misuse Act, which has failed to accommodate the shifting landscape of the fast-paced digital environment and stands in the way of progress in several different aspects.

Copyright Lyonsdown Limited 2021

Top Articles

The benefits of external threat hunting

Have you heard of external threat hunting or threat reconnaissance? If you have, you’re in the 1 per cent of the 1 per cent.

From growing supply chain attacks to ransomware gangs putting lives at risk

From ransomware pile-ons to commoditized supply chain TTPs, the threat landscape is set to evolve at a worrying pace in the year ahead.

Restricting company information - hide the truth or lie about it?

It seems like a cliché: a person’s life changes when they’re exposed to a previously concealed or distorted truth. In theory, all information is freely available – and, therefore, is…

Related Articles

[s2Member-Login login_redirect=”https://www.teiss.co.uk” /]