Endpoint Security , Governance & Risk Management , Vulnerability Assessment & Penetration Testing (VA/PT)

Why Reporting Security Bugs Can Be Fraught With Tension

Experts: Legal Protections Are Needed for Responsible Researchers
Casey Ellis, founder, CTO and chairman of Bugcrowd, and Edward Farrell, director and principal consultant at Mercury Information Security Services

Reporting security vulnerabilities to organizations with no disclosure policies can be fraught with tension. In the worst conflicts, security researchers could face lawsuits or even prosecution.

See Also: The Security Testing Imperative

Edward Farrell, who is the director and principal consultant with Mercury Information Security Services in Sydney, know this firsthand.

A building management software vendor threatened to sue after Farrell reported several access control bugs to the vendor in 2015. The vendor first claimed his findings had not been accurate, but later accepted the findings (see: A Vulnerability Disclosure Tale: Handcuffs or a Hug?).

More and more organizations are adopting researcher-friendly vulnerability disclosure programs or bug bounty programs - or even just making it easier for researchers to quickly reach someone in the security department. But hostility still sometimes surfaces.

Last week, Missouri Gov. Michael L. Parson referred a case to prosecutors that raised eyebrows around the world. A newspaper reporter with the St. Louis Post-Dispatch responsibly disclosed that a state education website was leaking the Social Security numbers of educators (see: Missouri Refers Coordinated Bug Disclosure to Prosecutors).

Casey Ellis, the founder, CTO and chairman of Bugcrowd, which is a platform for reporting software vulnerabilities, says legal protections are needed for responsible security researchers.

"I do believe that hackers and even lay people that identify security risks - they function as the internet's immune system," says Ellis, who is also involved in Disclose.io, an initiative that creates safe harbor best practices for good-faith security research.

In this video interview, Ellis and Farrell discuss:

  • How the legal environment around security research is evolving;
  • What kind of threats security researchers face;
  • Why legal protections are needed for responsible researchers.

Farrell is the director and principal consultant with Mercury Information Security Services, which is a Sydney-based consultancy that performs penetration testing and security audits.

Ellis is the founder, CTO and chairman of Bugcrowd, a platform for coordinating and rewarding responsibly disclosed security flaws.

About the Author

Jeremy Kirk

Jeremy Kirk

Executive Editor, Security and Technology, ISMG

Kirk was executive editor for security and technology for Information Security Media Group. Reporting from Sydney, Australia, he created "The Ransomware Files" podcast, which tells the harrowing stories of IT pros who have fought back against ransomware.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing healthcareinfosecurity.com, you agree to our use of cookies.