Google and other companies will develop and stand up a pair of new initiatives that will provide policy guidance to governments and legal protection to security researchers engaged in “good faith” vulnerability research and disclosure, while the tech giant also said it would formalize an internal policy to be publicly transparent when bugs in Google products are exploited in the wild.
The moves include the establishment of an industry-led Hacking Policy Council, which would be designed to bring “like minded organizations and leaders who will engage in focused advocacy new policies and regulations support best practices for vulnerability management and disclosure and do not undermine our user’s security,” as well as a planned nonprofit that would fund legal costs for security researchers who are sued or prosecuted while conducting vulnerability research and disclosure, according to a blog published alongside the announcements Wednesday.
The council will include representatives from bug bounty firms HackerOne, BugCrowd, Intigriti and Luta Security, as well as Venable, a law firm that specializes in cybersecurity law and policy matters, and Intel.
“I think it’s very much a coalition of the willing,” said Charley Snyder, head of security policy at Google, when asked how the council chose its initial membership. “There was no real criteria [for membership]…this is a fairly specialized area of policy, and these companies are ones that are really invested in getting it right.”
Snyder and Tim Willis, head of Google’s Project Zero, which conducts research on zero-day vulnerabilities, mentioned a trio of information security standards from the International Organization for Standardization (ISOs 27001, 27002 and 30179) as examples of the kind of standards and best practices that will guide the council’s recommendations.
The formation of the council comes at a time when the United States and other nations are showing an increased willingness to regulate the cybersecurity choices of businesses and other entities to prevent cyberattacks from significantly disrupting or spreading through a particular sector, critical infrastructure and other essential services.
The use of existing or future regulatory authority was a key pillar of the Biden administration’s national cybersecurity strategy, and agencies like the Securities and Exchange Commission, the Transportation Security Administration and the Environmental Protection Agency have since come out with a raft of sector-specific cybersecurity regulations or proposals over the last month.
Legal defense fund aimed at security researchers and 'good faith research'
The other announced initiative is a legal defense fund for security researchers who are sued or prosecuted for pursuing “good faith research in cases that would advance cybersecurity for the public interest.” Representatives from Google told SC Media they will provide seed money for the fund but it will be managed as a separate, non-profit 501c3 entity.
At an event Thursday, Harley Geiger, a cybersecurity attorney at Venable, said incidents “such as when the governor of Missouri threatened a reporter for telling a state agency about a vulnerability in his website” would be among the cases the fund will be set up to support. Geiger said the fund does not plan to provide direct legal representation or services to affected researchers "at this time."
The Department of Justice under President Joe Biden has made it official policy to avoid prosecutions of “good faith” security research under the Computer Fraud and Abuse Act. But digital civil liberties organizations continue to have questions about how law enforcement agencies will define such efforts, and apart from that, researchers and journalists have also faced the threat of lawsuits from private sector companies and organizations when disclose or report on vulnerabilities in their products.
“Right now, we have a lot of regulations that…were frankly written in a different era when there was not a nuanced understanding of the hand-in-hand relationship between vulnerability discovery and malicious hacking prevention,” said Katie Moussouris, CEO and founder of Luta Security. “I think that it’s very difficult to get a lot of these regulations to be unwound to a productive place [and] I think there is a lot of room for improvement [and] disambiguation of intent.”
Additionally, while Google already discloses when vulnerabilities in their products are exploited in the wild within seven days of discovery, the company will formalize the practice as official company policy going forward.