Why Reporting Security Bugs Can Be Fraught With TensionExperts: Legal Protections Are Needed for Responsible Researchers
Reporting security vulnerabilities to organizations with no disclosure policies can be fraught with tension. In the worst conflicts, security researchers could face lawsuits or even prosecution.
Edward Farrell, who is the director and principal consultant with Mercury Information Security Services in Sydney, know this firsthand.
A building management software vendor threatened to sue after Farrell reported several access control bugs to the vendor in 2015. The vendor first claimed his findings had not been accurate, but later accepted the findings (see: A Vulnerability Disclosure Tale: Handcuffs or a Hug?).
More and more organizations are adopting researcher-friendly vulnerability disclosure programs or bug bounty programs - or even just making it easier for researchers to quickly reach someone in the security department. But hostility still sometimes surfaces.
Last week, Missouri Gov. Michael L. Parson referred a case to prosecutors that raised eyebrows around the world. A newspaper reporter with the St. Louis Post-Dispatch responsibly disclosed that a state education website was leaking the Social Security numbers of educators (see: Missouri Refers Coordinated Bug Disclosure to Prosecutors).
"I do believe that hackers and even lay people that identify security risks - they function as the internet's immune system," says Ellis, who is also involved in Disclose.io, an initiative that creates safe harbor best practices for good-faith security research.
In this video interview, Ellis and Farrell discuss:
- How the legal environment around security research is evolving;
- What kind of threats security researchers face;
- Why legal protections are needed for responsible researchers.
Farrell is the director and principal consultant with Mercury Information Security Services, which is a Sydney-based consultancy that performs penetration testing and security audits.
Ellis is the founder, CTO and chairman of Bugcrowd, a platform for coordinating and rewarding responsibly disclosed security flaws.