US wants Bug Bounty hunters stopped

mariewindsor_bountyhunterThe US government is trying to stop tech companies from paying people who find bugs in their software.

The move is part of the US government’s suggestion for the Wassenaar Arrangement which is an international treaty designed to contribute to regional and international security and stability.

The US is worried about dual-use weapons, and in a computer security context, that means so-called intrusion software such as FinFisher and HackingTeam tools that are allegedly sold to and used by oppressive regimes to spy on citizens.

While this might seem like a good idea, security researchers are worried that the proposed rules are so broad that you can land a 747 on them sideways. Effectively it would make legitimate vulnerability research and proof-of-concept development against the law..

Researchers who find a zero-day vulnerability and develop a PoC exploit triggering the issue, would have to apply for an export license in order to privately disclose their findings with the vendor.

A foreign researcher would have to share details on a zero-day with their government before the affected vendor.

After all it is always a good idea to let a foreign government know that there is a bug in US software, its spy services are going to do the decent thing and allow the hacker to tell the vendor. They are not going to sit on the news while they can exploit it.

Besides the security implications of doing that, security researchers are probably not going to bother going through shedloads of red-tape to get an export licence just to tell someone that they have a software flaw.