A group of tech companies, security vendors, and non-profits have launched two new initiatives aimed at defending security researchers against potential legal battles over the vulnerabilities they uncover.
The Hacking Policy Council, formed by Google, Intel, Luta Security, HackerOne, BugCrowd, and Intigriti, will advocate worldwide for laws and regulations that promote best practices for vulnerability disclosure. The council aims to bridge gaps in the industry’s support for security researchers.
Google has also provided an unspecified amount of seed funding to launch the Security Research Legal Defense Fund. The fund will provide financial aid to researchers who face legal threats after reporting a flaw to a company. The fund has three independent board members and is seeking funding from other companies.
Security researchers probe for exploitable bugs in online services and report them to the companies behind the products with the hope of a fix. However, some companies downplay the impact of the bugs or even sue the researcher for violating anti-hacking laws or copyright infringement.
The new programs hope to create a “warming effect” between researchers and companies, said Katie Moussouris, founder, and CEO of Luta Security. The Security Research Legal Defense Fund will support researchers who demonstrate a financial need for legal aid and meet the fund’s definition of a good-faith security researcher.
Tim Willis, head of Google’s Project Zero initiative, said the new programs aim to ensure that companies do not just patch over the crack in the wall but rather work towards a solution.
The Hacking Policy Council has already met with EU officials to discuss changes to the proposed Cyber Resilience Act, while the legal defense fund focuses on raising awareness about the program and is now open to accepting new cases.
The sources for this piece include an article in Axios.