Endpoint Security , Governance & Risk Management , Vulnerability Assessment & Penetration Testing (VA/PT)

Why Reporting Security Bugs Can Be Fraught With Tension

Experts: Legal Protections Are Needed for Responsible Researchers
Casey Ellis, founder, CTO and chairman of Bugcrowd, and Edward Farrell, director and principal consultant at Mercury Information Security Services

Reporting security vulnerabilities to organizations with no disclosure policies can be fraught with tension. In the worst conflicts, security researchers could face lawsuits or even prosecution.

See Also: Live Discussion | Securing Business Growth: The Road to 24/7 Threat Detection and Response

Edward Farrell, who is the director and principal consultant with Mercury Information Security Services in Sydney, know this firsthand.

A building management software vendor threatened to sue after Farrell reported several access control bugs to the vendor in 2015. The vendor first claimed his findings had not been accurate, but later accepted the findings (see: A Vulnerability Disclosure Tale: Handcuffs or a Hug?).

More and more organizations are adopting researcher-friendly vulnerability disclosure programs or bug bounty programs - or even just making it easier for researchers to quickly reach someone in the security department. But hostility still sometimes surfaces.

Last week, Missouri Gov. Michael L. Parson referred a case to prosecutors that raised eyebrows around the world. A newspaper reporter with the St. Louis Post-Dispatch responsibly disclosed that a state education website was leaking the Social Security numbers of educators (see: Missouri Refers Coordinated Bug Disclosure to Prosecutors).

Casey Ellis, the founder, CTO and chairman of Bugcrowd, which is a platform for reporting software vulnerabilities, says legal protections are needed for responsible security researchers.

"I do believe that hackers and even lay people that identify security risks - they function as the internet's immune system," says Ellis, who is also involved in Disclose.io, an initiative that creates safe harbor best practices for good-faith security research.

In this video interview, Ellis and Farrell discuss:

  • How the legal environment around security research is evolving;
  • What kind of threats security researchers face;
  • Why legal protections are needed for responsible researchers.

Farrell is the director and principal consultant with Mercury Information Security Services, which is a Sydney-based consultancy that performs penetration testing and security audits.

Ellis is the founder, CTO and chairman of Bugcrowd, a platform for coordinating and rewarding responsibly disclosed security flaws.


About the Author

Jeremy Kirk

Jeremy Kirk

Managing Editor, Security and Technology, ISMG

Kirk is a veteran journalist who has reported from more than a dozen countries. Based in Sydney, he is Managing Editor for Security and Technology for Information Security Media Group. Prior to ISMG, he worked from London and Sydney covering computer security and privacy for International Data Group. Further back, he covered military affairs from Seoul, South Korea, and general assignment news for his hometown paper in Illinois.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing databreachtoday.com, you agree to our use of cookies.