> but there needs to be consent from the company being probed for vulnerabilities or else I find it hard to consider it legitimate research, regardless of intent.
The reality of netsec has not born out this model. In practice, you have two broad categories of companies:
- Ones that already have a culture of security, run pentests, have bug bounties, deploy patches, etc. These aren't the ones exacerbating the botnet-of-things writ large.
- Ones that frankly don't give a damn. Either they say "we don't need security research, it's secure enough", or they say they don't want it divulging trade secrets, or any of myriad excuses. No matter what, they don't consent to security research, even if they desperately need it.
The latter often persist even after multiple wake-up calls from black hat breaches. We have in front of us a golden opportunity for distributed, decentralized security research - white and gray hats basically do this for free. Instead we punish them, while the real problem stays far out of reach of the short arm of cyberlaw. Documenting the netsec research is a pretty clear indicator of intent ^1.
Honestly at this point, I don't think we can afford to not go this route. We should give amnesty to researchers who clearly aren't causing any damage, instead of throwing the book at them, which sadly is usually the case.
1 - yes I realize this gives a potential out to black hats. I'm fine with that. There ought to be enough evidence of actual damage to tell the real criminals apart.
People aren't white or grey or black hats. Actions are.
A person can wait until they find a vulnerability to decide what type of hat they want to be. That is not only possible, but also the most rational thing for someone to do if there are no negative consequences to declaring yourself one way or the other before you find the vulnerability.
All of the problems mentioned can be addressed above the table.
We don't allow people to test your defenses unsolicited in any other industry that i know of, and the cost of cybersecurity is very high.
We can make basic security defenses a law if we want to without giving cover to black hats.
You can't throw the book at someone who has approval to do research. Business does not need to have at-will rights over that approval, we can require sufficient reasoning to deny
The reality of netsec has not born out this model. In practice, you have two broad categories of companies:
- Ones that already have a culture of security, run pentests, have bug bounties, deploy patches, etc. These aren't the ones exacerbating the botnet-of-things writ large.
- Ones that frankly don't give a damn. Either they say "we don't need security research, it's secure enough", or they say they don't want it divulging trade secrets, or any of myriad excuses. No matter what, they don't consent to security research, even if they desperately need it.
The latter often persist even after multiple wake-up calls from black hat breaches. We have in front of us a golden opportunity for distributed, decentralized security research - white and gray hats basically do this for free. Instead we punish them, while the real problem stays far out of reach of the short arm of cyberlaw. Documenting the netsec research is a pretty clear indicator of intent ^1.
Honestly at this point, I don't think we can afford to not go this route. We should give amnesty to researchers who clearly aren't causing any damage, instead of throwing the book at them, which sadly is usually the case.
1 - yes I realize this gives a potential out to black hats. I'm fine with that. There ought to be enough evidence of actual damage to tell the real criminals apart.