Skip links

Zero-day hunters seek laws to prevent vendors suing them for helping out and doing their jobs

Cybersecurity Advisors Network (CyAN), the Paris-based body that represents infosec pros, has created a new working group to advocate for legislation that stops vendors from suing when security researchers show them zero-day bugs in their kit.

Peter Coroneos, CyAN international veep and leader of its new “Zero Day Legislative Project” told The Register the organisation recently staged a virtual meeting of 150-plus security researchers and the topic of aggressive legal responses to disclosures was high on their list of worries.

“Typically, they find a flaw, then notify the vendor. And at that point they get a cease and desist or threatening letter,” Coroneos told The Register. “The threats usually involve copyright and/or criminal laws that govern access or interference with computer systems.” An archive of threats made against researchers can be found here.

Vendors generally profess that they welcome researchers’ approaches, and many now operate bug bounty programs or formal disclosure initiatives to ensure they can handle claims of new holes with appropriate speed.

Coroneos was therefore surprised the issue remained of such concern to members, and said he feels the misuse of laws aimed at criminal attackers is slowing the useful work that threat-hunters perform.

“That is why we are building an international coalition to advocate for changes to laws to ensure that zero-day researchers will no longer fear heavy handed legal responses from companies whose products they are seeking to secure.”

The Project will work to define model laws that protect threat researchers, and then encourage members around the world to lobby for their introduction in different jurisdictions.

Those efforts have endorsed by Casey Ellis, the founder, chair, and CTO of crowdsourced bug-hunting platform Bugcrowd; the founder of Microsoft’s vulnerability threat efforts, Katie Moussouris; and former UK National Cyber Security Centre CEO Ciaran Martin.

Coroneos also pointed to a February 2021 policy document from the OECD that calls for development of legal frameworks to protect threat researchers.

The Paris Call For Trust And Security In Cyberspace, the non-binding declaration initiated on protection of infosec infrastructure by French president Emmanuel Macron, has also backed CyAN’s initiative.

In Britain, there have been repeated calls from infosec pros and a group of pro-reform academics for the government to overhaul the 30-year plus Computer Misuse Act, which is also seen as a stumbling block to those carrying out threat intelligence reasearch. ®