Wassenaar Treaty Will Hamper Bug Bounties

← Back to Stories (view on slashdot.org)

Wassenaar Treaty Will Hamper Bug Bounties

Posted by Soulskill on Tuesday June 9, 2015 @09:35AM from the writing-laws-they-don't-understand dept.

msm1267 writes: If the proposed U.S. Wassenaar rules are enacted, researchers who make a living contributing to and participating in the numerous industry bug bounties may feel the pinch in their wallets. Worse may be the impact on the security of software worldwide since many independent researchers find a good number of the bugs that get patched.

Researchers are starting to speak out, not only about the rules' broad definition of intrusion software, but also about the potential need to share vulnerability details with a government if forced to apply for the required export license. Many may soon question whether it's worth the time and effort to go through the export process if governments are acting as a clearinghouse.

17 of 35 comments (clear)

Min score:

Reason:

Sort:

Re:RAID! by __aaclcg7560 · 2015-06-09 09:47 · Score: 1

Multiple hard drive failures will do that.
Of course it is a bad idea... by houstonbofh · 2015-06-09 10:07 · Score: 3, Informative

Of course it is a bad idea! Most government ideas are. And yes, it will have a chilling effect on the white hats and no effect at all on the black hats. (Other than some people getting darker hats to continue to work.) The black hat 0day markets will love it, however!
1. Re:Of course it is a bad idea... by fustakrakich · 2015-06-09 11:06 · Score: 2
  
  Yep, nothing helps the 'underground' economy like good old prohibition. It's almost like the Black Hatters wrote the treaty.
  
  --
  “He’s not deformed, he’s just drunk!”
2. Re:Of course it is a bad idea... by gstoddart · 2015-06-09 12:53 · Score: 3, Insightful
  
  It's almost like the Black Hatters wrote the treaty.
  You're almost there ... it was Black Hatters ... but ones who see themselves as the good guys and want to prevent information about security from being publicly discussed.
  Because the only thing they care about is their continuing access to computer systems, and pretending they're doing it for our own good.
  This is the shady government agencies taking out the competition, and keeping information secret.
  Now, ask yourself ... 10 years ago how crazy would that sound?
  Because these days, it's not crazy at all.
  When they outlaw security, only governments and outlaws will have security. And then they'll be able to find you because you have security.
  If you have nothing to hide, you have nothing to fear. The pretext of keeping us safe is just bullshit window dressing.
  
  --
  Lost at C:>. Found at C.
3. Re:Of course it is a bad idea... by fustakrakich · 2015-06-09 16:03 · Score: 1
  
  The pretext of keeping us safe is just bullshit window dressing.
  It's an ancient social exploit that still works. What is there to say?
  
  --
  “He’s not deformed, he’s just drunk!”
Are they delusional? by ZorinLynx · 2015-06-09 10:47 · Score: 5, Insightful

Why do governments think they can control the flow of security software and exploits over the Internet?
Bad guys already don't follow the laws, and will obtain and use them anyway.
Good guys testing security will probably obtain and use them anyway because the probability of actually getting caught and prosecuted for it are nearly nil if it's not being used in a crime.
In other words, these laws stop no one except maybe one or two goodie-two-shoes. What's the point?
1. Re:Are they delusional? by fustakrakich · 2015-06-09 11:08 · Score: 2
  
  What's the point?
  Provides *probable cause*...
  
  --
  “He’s not deformed, he’s just drunk!”
2. Re:Are they delusional? by Anonymous Coward · 2015-06-09 11:40 · Score: 1
  
  No they don't.
  But some well-connected business entities think they can buy legislation that lets them silence people that publish embarrassing information about their products.
  To them that's all that matters because the stock market has become a sort of a money fashion show. Quarter-to-quarter moves that, in reality, are completely governed by outside appearances. They don't give a damn if their products are insecure. Frankly, products are just a formality. Modern companies mostly exist to game the stock market.
  The government's don't really think anything. They're too busy being pushed over by the multibillion lobbying industry while trying to run countries on ever-shrinking budgets.
  And all of the above is your fault. Yours. Personally. You wanted weak governments that are "business friendly" and cater to "job creators" - Well, you got them. The TPP is a result of that.
3. Re:Are they delusional? by gstoddart · 2015-06-09 13:01 · Score: 1
  
  In other words, these laws stop no one except maybe one or two goodie-two-shoes. What's the point?
  To intimidate researchers into staying quiet, to force them to provide information about exploits so they can use them for their own purposes, to criminalize providing these tools to anybody, and to keep them secret for as long as possible.
  You think this is a clumsy attempt to legislate security risks.
  I think it's a ham-handed play to claim national security jurisdiction over these things ... allowing them to both exploit these things, and be able to use secret provisions to do anything they want to with computer security.
  This isn't government ineptness, this is government overreach and a police state.
  Anything they want to do, because, terrorism.
  Behold my friends ... the inexorable creep of the fascist oligarchy.
  I keep putting on more tinfoil ... but it just ... doesn't ... fucking ... work.
  
  --
  Lost at C:>. Found at C.
Re:Worldwide ? by OrangeTide · 2015-06-09 11:03 · Score: 1, Offtopic

California roughly has the same GDP as Italy. Tennessee's is roughly that of the Republic of Ireland.
An old American joke:
Q: "Where does an 800-lb. gorilla sit?"
A: "Anywhere it wants to."

--
“Common sense is not so common.” — Voltaire
Licensing should be mandatory by Stan92057 · 2015-06-09 11:24 · Score: 1

I think so called security researchers need to be tested and licensed to do what they do. A hairdresser needs a licensed, an auto mechanic who inspects cars for inspection needs to pass tests get a license. But anyone with a PC can hack whatever ,whoever whenever and answer to no one? is somehow fair?

--
Jack of all trades,master of none
1. Re:Licensing should be mandatory by smaddox · 2015-06-09 11:39 · Score: 1
  
  Fairness is irrelevant. If you make it illegal to do security probes, many of the white hats will just go black hat. There's no way to effectively regulate it.
  Or you can start a "war on hackers", which will be even less effective than the other ill-defined wars.
2. Re:Licensing should be mandatory by bezenek · 2015-06-09 11:46 · Score: 3, Insightful
  
  In most cases, software engineers do not need to be licensed. Maybe this is another item for the general licensing debate.
  
  --
  Omne ignotum pro magnifico.
3. Re:Licensing should be mandatory by Wintermute__ · 2015-06-09 12:42 · Score: 1
  
  I can see it now, licensing test:
  1.) Hack the computer containing this test to give yourself a passing score.
  If you can do this, you are qualified to find security bugs in computer systems. If you cannot, you are not qualified.
  But seriously, what is it that you would be testing for exactly? Proficiency? Morals (people can lie, you know)? Responsibility (ditto)?
4. Re:Licensing should be mandatory by parenthephobia · 2015-06-09 12:51 · Score: 2
  
  But anyone with a PC can hack whatever ,whoever whenever and answer to no one?
  Uh, no. That's already illegal.
  The proposed changes to the law are sufficiently broad as to potentially make it illegal for me to notify a non-US software vendor about a security flaw I found in their software when probing it on my own computer.
5. Re:Licensing should be mandatory by Stan92057 · 2015-06-10 06:07 · Score: 1
  
  Who said make security probes illegal? i sure didnt. No hacker should have the power to put everyone at risk because a software maker is taking too long to fix a bug. No software maker should be allowed to sick lawyers and wave copyright in order to get out of fixing bugs. No hacker should be allowed to create software to exploit any bugs,no hacker should be allowed to show the code or a working exploit for at least 2 years after a bug fix has been issued. That,s my suggestions to create a safer web, a safer computing experience. As it stands now both sides are being dicks IMO
  
  --
  Jack of all trades,master of none
Bad headline by dlenmn · 2015-06-09 13:54 · Score: 2

Here's a better headline: Wassenaar Treaty _DRAFT__MAY_ Hamper Bug Bounties
The summary makes it sound like the treaty is a done deal; it's not. (TFA makes that point.) There's an open comment period through July 20th.
Yes, it sounds like the proposed wording isn't good. However, the final version isn't done. Give them useful feedback if you'd like. I'm sure the companies who use bug bounties have already given feedback.
Don't panic, yet.