iscover
Share this article on:
Powered by
MOMENTUM
MEDIA
The University of NSW is arguing that there is currently no protection for vulnerability researchers and white hat hackers, and this issue should be addressed in the upcoming Cyber Security Strategy.
The UNSW Allens Hub for Technology, Law and Innovation has made a submission to the 2023–30 Australian Cyber Security Strategy Discussion paper, saying that those who work in the best interests of organisations by identifying vulnerabilities and disclosing them so that they can be patched are at great risk of legal prosecution.
“Currently, computer offences are dealt with federally in the Criminal Code and in equivalent state/territory laws,” UNSW said in its proposal.
“Computer offences include offences that are unrelated to broader criminal conduct (e.g. Criminal Code, Section 478.1).
“In these cases, the crime could be committed where a person believes they are participating in a vulnerability disclosure program, but their acts are not, in fact, ‘authorised’ under the terms of that program. This can be the result of poor drafting or innocent misinterpretation.”
The submission suggests that bug bounty hunters would require legislative protections at both a state and federal level, which the potential Cyber Security Act could address for the latter.
UNSW has previously proposed a bug bounty program called the cyber socket, which would allow organisations to develop programs for vulnerability disclosure.
“The protection would only cover people acting in good faith, who are not intending to cause harm or threatening harm. The moment you cease to act in good faith, the moment you threaten harm, that would be outside the protection,” said UNSW Allens Hub director Lyria Bennett Moses.
“A [cyber socket] just gives people that confidence that as long as they’re participating in good faith in a vulnerability disclosure program, not making threats, not intending to cause harm, they’re not committing crimes, and therefore it’s safe to make those reports.”
UNSW also said an “opt-in” registry would keep track of vulnerability disclosure programs.
In the submission, the university said that the changes to legislation would require clear definitions of what a “vulnerability disclosure program” is, as well as what “good faith participation in a vulnerability disclosure program (or similar words)” would be.
To work in good faith would be “for the purposes of testing, investigating, and promptly reporting a security flaw or vulnerability” as long as there is a reasonable belief that the actions of the white hat hacker were within the terms of the program, without intent to cause harm or damage.
UNSW also said that creating a legal defence that would protect those who have acted in good faith would be another option.
The full submission can be found here.
Be the first to hear the latest developments in the cyber industry.
