Catch up on stories from the past week (and beyond) at the Slashdot story archive

 


Forgot your password?
Close
typodupeerror
×
Bug Government Security Politics

Wassenaar Treaty Will Hamper Bug Bounties 35

Posted by Soulskill from the writing-laws-they-don't-understand dept.
msm1267 writes: If the proposed U.S. Wassenaar rules are enacted, researchers who make a living contributing to and participating in the numerous industry bug bounties may feel the pinch in their wallets. Worse may be the impact on the security of software worldwide since many independent researchers find a good number of the bugs that get patched.

Researchers are starting to speak out, not only about the rules' broad definition of intrusion software, but also about the potential need to share vulnerability details with a government if forced to apply for the required export license. Many may soon question whether it's worth the time and effort to go through the export process if governments are acting as a clearinghouse.
This discussion has been archived. No new comments can be posted.

Wassenaar Treaty Will Hamper Bug Bounties More

Wassenaar Treaty Will Hamper Bug Bounties

Comments Filter:

  • Of course it is a bad idea... (Score:4, Informative)

    by houstonbofh ( 602064 ) on Tuesday June 09, 2015 @05:07PM (#49879487)
    Of course it is a bad idea! Most government ideas are. And yes, it will have a chilling effect on the white hats and no effect at all on the black hats. (Other than some people getting darker hats to continue to work.) The black hat 0day markets will love it, however!

    • Yep, nothing helps the 'underground' economy like good old prohibition. It's almost like the Black Hatters wrote the treaty.

      • Re:Of course it is a bad idea... (Score:4, Insightful)

        by gstoddart ( 321705 ) on Tuesday June 09, 2015 @07:53PM (#49880253) Homepage

        It's almost like the Black Hatters wrote the treaty.

        You're almost there ... it was Black Hatters ... but ones who see themselves as the good guys and want to prevent information about security from being publicly discussed.

        Because the only thing they care about is their continuing access to computer systems, and pretending they're doing it for our own good.

        This is the shady government agencies taking out the competition, and keeping information secret.

        Now, ask yourself ... 10 years ago how crazy would that sound?

        Because these days, it's not crazy at all.

        When they outlaw security, only governments and outlaws will have security. And then they'll be able to find you because you have security.

        If you have nothing to hide, you have nothing to fear. The pretext of keeping us safe is just bullshit window dressing.

        • The pretext of keeping us safe is just bullshit window dressing.

          It's an ancient social exploit that still works. What is there to say?

  • Are they delusional? (Score:5, Insightful)

    by ZorinLynx ( 31751 ) on Tuesday June 09, 2015 @05:47PM (#49879709) Homepage

    Why do governments think they can control the flow of security software and exploits over the Internet?

    Bad guys already don't follow the laws, and will obtain and use them anyway.

    Good guys testing security will probably obtain and use them anyway because the probability of actually getting caught and prosecuted for it are nearly nil if it's not being used in a crime.

    In other words, these laws stop no one except maybe one or two goodie-two-shoes. What's the point?

    • What's the point?

      Provides *probable cause*...

    • Re: (Score:1)

      by Anonymous Coward

      No they don't.

      But some well-connected business entities think they can buy legislation that lets them silence people that publish embarrassing information about their products.

      To them that's all that matters because the stock market has become a sort of a money fashion show. Quarter-to-quarter moves that, in reality, are completely governed by outside appearances. They don't give a damn if their products are insecure. Frankly, products are just a formality. Modern companies mostly exist to game the stock ma

    • In other words, these laws stop no one except maybe one or two goodie-two-shoes. What's the point?

      To intimidate researchers into staying quiet, to force them to provide information about exploits so they can use them for their own purposes, to criminalize providing these tools to anybody, and to keep them secret for as long as possible.

      You think this is a clumsy attempt to legislate security risks.

      I think it's a ham-handed play to claim national security jurisdiction over these things ... allowing them to b

  • I think so called security researchers need to be tested and licensed to do what they do. A hairdresser needs a licensed, an auto mechanic who inspects cars for inspection needs to pass tests get a license. But anyone with a PC can hack whatever ,whoever whenever and answer to no one? is somehow fair?

    • Re: (Score:2)

      by smaddox ( 928261 )

      Fairness is irrelevant. If you make it illegal to do security probes, many of the white hats will just go black hat. There's no way to effectively regulate it.

      Or you can start a "war on hackers", which will be even less effective than the other ill-defined wars.

      • Who said make security probes illegal? i sure didnt. No hacker should have the power to put everyone at risk because a software maker is taking too long to fix a bug. No software maker should be allowed to sick lawyers and wave copyright in order to get out of fixing bugs. No hacker should be allowed to create software to exploit any bugs,no hacker should be allowed to show the code or a working exploit for at least 2 years after a bug fix has been issued. That,s my suggestions to create a safer web, a saf

    • Re:Licensing should be mandatory (Score:4, Insightful)

      by bezenek ( 958723 ) on Tuesday June 09, 2015 @06:46PM (#49880005) Journal

      In most cases, software engineers do not need to be licensed. Maybe this is another item for the general licensing debate.

    • I can see it now, licensing test:

      1.) Hack the computer containing this test to give yourself a passing score.

      If you can do this, you are qualified to find security bugs in computer systems. If you cannot, you are not qualified.

      But seriously, what is it that you would be testing for exactly? Proficiency? Morals (people can lie, you know)? Responsibility (ditto)?

    • But anyone with a PC can hack whatever ,whoever whenever and answer to no one?

      Uh, no. That's already illegal.

      The proposed changes to the law are sufficiently broad as to potentially make it illegal for me to notify a non-US software vendor about a security flaw I found in their software when probing it on my own computer.

  • Bad headline (Score:3)

    by dlenmn ( 145080 ) on Tuesday June 09, 2015 @08:54PM (#49880523)

    Here's a better headline: Wassenaar Treaty _DRAFT__MAY_ Hamper Bug Bounties

    The summary makes it sound like the treaty is a done deal; it's not. (TFA makes that point.) There's an open comment period [federalregister.gov] through July 20th.

    Yes, it sounds like the proposed wording isn't good. However, the final version isn't done. Give them useful feedback if you'd like. I'm sure the companies who use bug bounties have already given feedback.

    Don't panic, yet.

Slashdot Top Deals

Don't tell me how hard you work. Tell me how much you get done. -- James J. Ling

Close