Slashdot Mirror

← Back to Stories (view on slashdot.org)

Wassenaar Treaty Will Hamper Bug Bounties

Posted by Soulskill on from the writing-laws-they-don't-understand dept.

msm1267 writes: If the proposed U.S. Wassenaar rules are enacted, researchers who make a living contributing to and participating in the numerous industry bug bounties may feel the pinch in their wallets. Worse may be the impact on the security of software worldwide since many independent researchers find a good number of the bugs that get patched.

Researchers are starting to speak out, not only about the rules' broad definition of intrusion software, but also about the potential need to share vulnerability details with a government if forced to apply for the required export license. Many may soon question whether it's worth the time and effort to go through the export process if governments are acting as a clearinghouse.

8 of 35 comments (clear)

  1. Of course it is a bad idea... by houstonbofh · · Score: 3, Informative

    Of course it is a bad idea! Most government ideas are. And yes, it will have a chilling effect on the white hats and no effect at all on the black hats. (Other than some people getting darker hats to continue to work.) The black hat 0day markets will love it, however!

    1. Re:Of course it is a bad idea... by fustakrakich · · Score: 2

      Yep, nothing helps the 'underground' economy like good old prohibition. It's almost like the Black Hatters wrote the treaty.

      --
      “He’s not deformed, he’s just drunk!”
    2. Re:Of course it is a bad idea... by gstoddart · · Score: 3, Insightful

      It's almost like the Black Hatters wrote the treaty.

      You're almost there ... it was Black Hatters ... but ones who see themselves as the good guys and want to prevent information about security from being publicly discussed.

      Because the only thing they care about is their continuing access to computer systems, and pretending they're doing it for our own good.

      This is the shady government agencies taking out the competition, and keeping information secret.

      Now, ask yourself ... 10 years ago how crazy would that sound?

      Because these days, it's not crazy at all.

      When they outlaw security, only governments and outlaws will have security. And then they'll be able to find you because you have security.

      If you have nothing to hide, you have nothing to fear. The pretext of keeping us safe is just bullshit window dressing.

      --
      Lost at C:>. Found at C.
  2. Are they delusional? by ZorinLynx · · Score: 5, Insightful

    Why do governments think they can control the flow of security software and exploits over the Internet?

    Bad guys already don't follow the laws, and will obtain and use them anyway.

    Good guys testing security will probably obtain and use them anyway because the probability of actually getting caught and prosecuted for it are nearly nil if it's not being used in a crime.

    In other words, these laws stop no one except maybe one or two goodie-two-shoes. What's the point?

    1. Re:Are they delusional? by fustakrakich · · Score: 2

      What's the point?

      Provides *probable cause*...

      --
      “He’s not deformed, he’s just drunk!”
  3. Re:Licensing should be mandatory by bezenek · · Score: 3, Insightful

    In most cases, software engineers do not need to be licensed. Maybe this is another item for the general licensing debate.

    --
    Omne ignotum pro magnifico.
  4. Re:Licensing should be mandatory by parenthephobia · · Score: 2

    But anyone with a PC can hack whatever ,whoever whenever and answer to no one?

    Uh, no. That's already illegal.

    The proposed changes to the law are sufficiently broad as to potentially make it illegal for me to notify a non-US software vendor about a security flaw I found in their software when probing it on my own computer.

  5. Bad headline by dlenmn · · Score: 2

    Here's a better headline: Wassenaar Treaty _DRAFT__MAY_ Hamper Bug Bounties

    The summary makes it sound like the treaty is a done deal; it's not. (TFA makes that point.) There's an open comment period through July 20th.

    Yes, it sounds like the proposed wording isn't good. However, the final version isn't done. Give them useful feedback if you'd like. I'm sure the companies who use bug bounties have already given feedback.

    Don't panic, yet.