The next phase of the Pall Mall Process has begun - no, not the cigarettes, but an international, multi-stakeholder effort to establish norms for the use and governance of hacking tools. This week, organizers released a consultation towards a Code of Practice for the cybersecurity industry and invited input from companies, researchers, and civil society. The Pall Mall Process organizers hope to define responsible behavior for companies and individuals developing and deploying commercial cyber intrusion capabilities (CCICs) tools that can be used to both strengthen and undermine global cybersecurity.

This consultation follows the release of the Pall Mall State Code of Practice, the first comprehensive, state-led compact to embed human rights, accountability, and transparency into this opaque market - now with 27 sign-ons. The Code commits governments to ensure CCICs are used only when necessary, proportionate, and legally authorized. It calls for oversight, human rights due diligence, vendor vetting, and export controls designed to prevent misuse and abuse.

The Hacking Policy Council (HPC), an initiative of the Center for Cybersecurity Policy and Law, has been actively engaged in the Pall Mall Process since its inception, representing cybersecurity professionals, researchers, and companies committed to advancing responsible security innovation. HPC helped ensure that the final State Code recognizes the importance of legitimate but potentially dual-use cybersecurity activities – including penetration testing, red teaming, coordinated vulnerability disclosure, and bug bounty programs – as lawful and beneficial. 

This language directly reflects HPC’s push to protect ethical hacking from being conflated with malicious intrusion, and that efforts to control malicious actors focus on embedding governance, restraint, and transparency into the often opaque cyber intrusion market. The Code also integrates HPC’s recommendations for fostering a more consistent global approach to responsible cybersecurity practice for researchers and companies.

Despite these advances, key challenges remain. The Code does not yet prohibit high-risk spyware procurement, nor does it require governments to notify vendors when they purchase or exploit zero-day vulnerabilities. References to “researcher controls” could still pave the way for restrictive licensing regimes, underscoring the need for continued advocacy to preserve space for legitimate security research.

Now, the Pall Mall Process is turning its attention to best practices for the private sector,  members of HPC, and supporters of the Center, potentially including you. The newly launched consultation invites input on how companies, investors, and researchers manage risks in the cyber intrusion market, including due diligence, accountability, vendor vetting, and redress mechanisms. The outcome will inform the drafting of Industry Guidelines in 2026.

HPC will continue engaging in this next phase to ensure that global norms reflect the realities of cybersecurity work and protect researchers and defenders. If you or your organization work in vulnerability research, threat intelligence, or cybersecurity product development, your voice matters in shaping these norms - we’d love to talk to you as we develop our next steps. If you have thoughts on developing next steps please reach out to me at hewest@venable.com

‍