WASHINGTON,D.C., APRIL 13, 2023 – The Center for Cybersecurity Policy and Law, a DC-based cybersecurity think tank, announced today that it has launched two new initiatives to create a more favorable legal, policy, and business environment for good faith security research, penetration testing, independent repair for security, and vulnerability disclosure. The Hacking Policy Council and the Security Research Legal Defense Fund seek to protect consumers and enterprises by advancing public policies and business practices to better detect and address security vulnerabilities.  

Vulnerabilities in software and networks pose risks to people and society at large. How security vulnerabilities are identified, disclosed, and fixed is increasingly important to the operation of critical services and protection of personal information. Activities such as ethical hacking, penetration testing, and vulnerability disclosure can uncover and help address flaws before malicious criminals can exploit them. However, laws that restrict these activities, or that require premature disclosure of vulnerabilities to government agencies or the public, can put security at risk.

“Society depends on secure digital communications and devices, but cyberattacks and system failures increasingly endanger physical safety, consumer privacy, and the operation of services that are critical to the economy. The public benefits when security vulnerabilities in software and systems are discovered and fixed before malicious actors can discover and exploit them,” said Harley Geiger, Coordinator of the groups. “The Hacking Policy Council and the Security Research Legal Defense Fund will work to create advantages for those helping companies and governments stay a few steps ahead of the criminals.”

The Hacking Policy Council

The Hacking Policy Council will make technology safer and more transparent by facilitating best practices for vulnerability disclosure and management, as well as advocating for legal and policy reforms to empower good faith security research, penetration testing, and independent repair for security. Outdated laws create restrictions and liability for these practices, and emerging legal requirements on vulnerability disclosure and management are not always clear or in the best interests of security. There continues to be a lack of awareness and effective adoption of best practices relating to these activities, and policymakers have not implemented practical solutions to protect and encourage vulnerability disclosure and management.

Key goals of the Hacking Policy Council include:

● Creating a more favorable legal environment for vulnerability disclosure and management, bug bounties, independent repair for security, good faith security research, and pen testing;

● Growing collaboration between the security, business, and policymaking communities;

● Preventing new legal restrictions on security research, pen testing, or vulnerability disclosure and management; and

● Strengthening organizations’ resilience through effective adoption of vulnerability disclosure policies and security researcher engagement.

The founding members of the Hacking Policy Council include Bugcrowd, Google, HackerOne, Intel, Intigriti, and LutaSecurity. The Advisory Committee for the Council includes: Ilona Cohen (HackerOne),Amit Elazari (Intel), Casey Ellis (Bugcrowd), Katie Moussouris (Luta Security),and Charley Snyder (Google).

“This is an all-star team of substantive experts with global reach and deep ties to the security and policy making communities,” said Ari Schwartz, Coordinator of the Center For Cybersecurity Policy And Law.

For more information about the Hacking Policy Council please visit our website at HackingPolicyCouncil.org

The Security Research Legal Defense Fund

The Security Research Legal Defense Fund, which will be established as a standalone 501(c)(3) nonprofit organization, will help fund legal representation for persons that face legal problems due to good faith security research and vulnerability disclosure in cases that would advance cybersecurity for the public interest.

Too often security researchers are faced with legal threats after notifying organizations of vulnerabilities found in good faith. The Security Research Legal Defense Fund will be a resource for those threatened with lawsuits and other legal action resulting from good faith security research, penetration testing, or responsible vulnerability disclosure, providing financial support for legal representation.

The Defense Fund is in the process of obtaining 501(c)(3) status and plans to begin operations in coming months. Access to the Defense Fund will be based on eligibility guidelines and Board approval to ensure the Fund is acting in the public interest and only supporting activity that strengthens the security and safety of computers and users. The Defense Fund will also maintain confidentiality for legal inquiries.

“Security researchers help protect consumers by identifying flaws in software and computers so that the flaws can be fixed before criminals exploit them. Yet these people have historically faced legal threats for performing good faith security research and disclosing vulnerabilities.” said Amie Stepanovich, a member of the Board of Directors for the Fund. “We want to make sure good faith security researchers’ have options available to them so that their valuable contributions are not shut down with a blanket cease-and-desist letter or misguided prosecution.”

The Security Research Legal Defense Fund’s Board of Directors includes: Jim Dempsey (University of California at Berkeley),Kurt Opsahl (Filecoin Foundation), and Amie Stepanovich (Future of Privacy Forum). The Fund’s operations will be financed through voluntary donations by organizations and individuals.

For more information about the Fund please visit our website at SecurityResearchLegalDefenseFund.org

                                                 *                       *                       *

For more information on the Hacking Policy Council or the Security Research Defense Fund please contact Harley Geiger, HLGeiger@venable.com.

‍