Last week, the Advisory Committee to the Congressional Internet Caucus hosted “Hacking: What Color Is Your Hat? Vulnerability Disclosures and the Law,” a discussion on the importance of vulnerability disclosures to protect information systems and  the nation’s cyber security defenses, and how private and public actors can safely encourage vulnerability reporting.  Technology and security companies were represented on the panel by Franck Journoud, Oracle’s Senior Director of Cybersecurity and Technology Policy, Katie Moussouris, CEO, Luta Security, and Harley Geiger, Rapid7’s Director of Public Policy. The Department of Justice (“DOJ”) was represented by Leonard Bailey, Special Counsel for National Security, Computer Crime and Intellectual Property Section (“CCIPS”).

The discussion centered around (1) the DOJ’s recently promulgated voluntary framework for handling vulnerability disclosures, (2) the challenges of reporting on and disclosing vulnerabilities and current industry best practices, and (3) potential legislative solutions to this issue.

The DOJ Framework.  The panelists discussed the benefits of the DOJ’s voluntary framework, “A Framework for a Vulnerability Disclosure Program for Online Systems,” which we previously analyzed. The purpose of the framework is to assist organizations in developing “a formal program to receive reports of network, software, and system vulnerabilities, and to disclose vulnerabilities identified in other organizations’ environments.”

The panelists discussed how the DOJ framework assists companies to comply with the Computer Fraud and Abuse Act (“CFAA”).  Although federal prosecutions under the CFAA of “white hat” hackers, who research vulnerabilities with the intent to protect systems and the public, are exceedingly rare, industry leaders have expressed concerns that it could be applied to those researchers in addition to actors who gain unauthorized access with malicious intent (“black hat” hackers).  The panelists acknowledged that distinguishing between “black hat” and “white hat” conduct presents a challenge under the CFAA because the statute’s drafters likely did not contemplate such distinctions.  Accordingly, the DOJ framework was promulgated to assist researchers to delineate between authorized and unauthorized activity under the CFAA.

The panelists discussed how the DOJ framework may encourage companies to develop formal vulnerability disclosure policies.  While the DOJ framework does not dictate the content of a company’s vulnerability disclosure policy, some of the panelists suggested that the framework could provide guidance to companies that do not currently have vulnerability reporting and disclosure policies.  Along these lines, the panelists discussed why some companies have not previously created formal disclosure policies: either they lack dedicated, internal information security personnel to facilitate a discussion on vulnerability reporting, or they are not sufficiently tuned into the technology sector to be aware of the issues.  The DOJ framework, therefore, raises awareness and encourages the adoption of vulnerability disclosure policies in all industry sectors.

Current Challenges and Best Practices.  The panelists also discussed the current legal ambiguities between permissible and impermissible security researcher activities.  The difference between such activities may depend on the circumstances and the type of vulnerability, and therefore require researchers to make situation-specific judgements.  Written vulnerability disclosure policies can play an important role in influencing such judgment calls.

For example, without a clear disclosure policy a researcher may believe that she has only two options to avoid potential liability—disclose her findings publicly (often anonymously) or not at all.  Public disclosure of a vulnerability can lead the appropriate party to fix the vulnerability, but it can also lead to a malicious actor exploiting or further exploring the identified systems for additional bugs.  On the other hand, not disclosing a vulnerability prolongs the time before it is discovered and patched, which also can result in harm.  The panelists agreed that, by providing clear guidance for permissible research and reporting processes, and incentives to reporting, a company can act on direct, discrete vulnerability information to prevent harm to company and customer assets.  But this remains a potential area of growth for most companies, as 90% of Forbes 2000 companies currently do not have public vulnerability disclosure policies.

Some of the panelists stated that federal prosecutions are not the primary concern for security researchers.  Instead, when a researcher discovers a vulnerability and releases that information, the researcher may be threatened by bad actors or by companies that misunderstand the researcher’s motive.  Such threats can have a chilling effect on the future discovery and disclosure of vulnerabilities.  To counteract this chilling effect, the panelists suggested that companies include within their vulnerability disclosure policies a statement that they will not hold researchers liable for discovering and reporting on vulnerabilities in good faith.

One of the panelists explained that vulnerabilities pose specific challenges to companies with “mission critical” enterprise software systems, including cloud-based solutions.  For these companies, remediating a vulnerability may require taking entire systems offline.  As such, a vulnerability disclosure program like a “bug bounty program,” which incentivizes individuals to report vulnerabilities in exchange for payment or recognition, may be a “good practice” but not necessarily a “best practice.”  Such companies may wish to consider investing in internal resources to discover and fix system vulnerabilities themselves.

Future Legal Developments.  The panelists concluded their discussion by focusing on future legal developments that could clarify the issue of vulnerability disclosure.  Although the DOJ’s framework focused on the CFAA, the panelists discussed the Digital Millennium Copyright Act (“DMCA”), which is another statute that impacts decisions on vulnerability research and reporting.  There was disagreement among the panelists about the import of a recently enacted DMCA provision that exempts researchers who are acting in good faith to conduct research on covered consumer devices in particular circumstances.  Some found that this exemption is “well-tailored,” while others panelists noted that the exemption’s express language governs only research, and not disclosure of discovered vulnerabilities.

In addition, the panelists discussed the current bug bounty program at the Department of Defense (“DoD”), crediting its successful implementation to the DoD’s awareness, technical capabilities, and professional skills.  However, absent those capabilities it may not be straightforward to export the same program to other government agencies with similar results, as is currently under consideration through proposed legislation to implement it at the Departments of Homeland Security and Treasury.  One panelist also questioned the use of bug bounty programs in the corporate context, stating that the majority of bugs reported under such programs are “low hanging fruit,” begging the question as to what behaviors are actually being encouraged through such programs.

Ultimately, the panelists all agreed that it was unlikely that a single legislative fix would work to encourage safe research and reporting in every context.  Such legislation would be difficult or impossible to draft, and the creation of bright line rules would likely be either over-inclusive or under-inclusive in defining the line between white hat and black hat activity in different technical environments.