We the undersigned organizations, members of the Hacking Policy Council, respectfully request regulatory guidance from the Office of Foreign Assets Control (OFAC) regarding coordinated vulnerability disclosure processes and sanctions. We urge the Department to clarify organizations’ obligations when receiving a cybersecurity vulnerability disclosure from individuals in “comprehensively sanctioned” countries and regions, and the organization’s ability to ask follow-up questions regarding that vulnerability. Vulnerability disclosures are communications of information, without remuneration, performed to ensure and promote the security of information systems. We commend OFAC for stating in FAQ 448 that the “U.S. government supports efforts by researchers, cybersecurity experts, and network defense specialists to identify, respond to, and repair vulnerabilities that could be exploited by malicious actors.”1 We recognize that this is aligned with the broader U.S. government policy of reducing software vulnerabilities by promoting adoption of coordinated vulnerability disclosure processes in the public and private sectors.2It would be beneficial for OFAC to clarify that such communications from individuals in comprehensively sanctioned areas are not restricted and are exempt from sanctions.
Read Next
The U.S. Data Security EO with Lee Licata and Grant Dasher (Part 2)
For the first time in the Distilling Cyber Policy podcast, Alex and Jen are re-joined by guests from earlier this season: Lee Licata, from the Department of Justice, and Grant Dasher, from CISA.
The U.S. and UN Cybercrime Convention: Progress, Concerns, and Uncertain Commitments
The U.S. issued an updated position seeking to move forward the UN Convention Against Cybercrime, a treaty intended to improve the global community’s ability to combat evolving cybercrime threats.
The Counter Ransomware Initiative with Hamish Hansford (DCP S2 E8)
In the latest Distilling Cyber Policy, Alex Botting and Jen Ellis are joined by our second-ever Australian guest: Hamish Hansford, the Deputy Secretary of Cyber and Infrastructure Security Group at the Australian Department of Home Affairs.