Wassenaar Treaty Will Hamper Bug Bounties

← Back to Stories (view on slashdot.org)

Wassenaar Treaty Will Hamper Bug Bounties

Posted by Soulskill on Tuesday June 9, 2015 @09:35AM from the writing-laws-they-don't-understand dept.

msm1267 writes: If the proposed U.S. Wassenaar rules are enacted, researchers who make a living contributing to and participating in the numerous industry bug bounties may feel the pinch in their wallets. Worse may be the impact on the security of software worldwide since many independent researchers find a good number of the bugs that get patched.

Researchers are starting to speak out, not only about the rules' broad definition of intrusion software, but also about the potential need to share vulnerability details with a government if forced to apply for the required export license. Many may soon question whether it's worth the time and effort to go through the export process if governments are acting as a clearinghouse.

4 of 35 comments (clear)

Min score:

Reason:

Sort:

Of course it is a bad idea... by houstonbofh · 2015-06-09 10:07 · Score: 3, Informative

Of course it is a bad idea! Most government ideas are. And yes, it will have a chilling effect on the white hats and no effect at all on the black hats. (Other than some people getting darker hats to continue to work.) The black hat 0day markets will love it, however!
1. Re:Of course it is a bad idea... by gstoddart · 2015-06-09 12:53 · Score: 3, Insightful
  
  It's almost like the Black Hatters wrote the treaty.
  You're almost there ... it was Black Hatters ... but ones who see themselves as the good guys and want to prevent information about security from being publicly discussed.
  Because the only thing they care about is their continuing access to computer systems, and pretending they're doing it for our own good.
  This is the shady government agencies taking out the competition, and keeping information secret.
  Now, ask yourself ... 10 years ago how crazy would that sound?
  Because these days, it's not crazy at all.
  When they outlaw security, only governments and outlaws will have security. And then they'll be able to find you because you have security.
  If you have nothing to hide, you have nothing to fear. The pretext of keeping us safe is just bullshit window dressing.
  
  --
  Lost at C:>. Found at C.
Are they delusional? by ZorinLynx · 2015-06-09 10:47 · Score: 5, Insightful

Why do governments think they can control the flow of security software and exploits over the Internet?
Bad guys already don't follow the laws, and will obtain and use them anyway.
Good guys testing security will probably obtain and use them anyway because the probability of actually getting caught and prosecuted for it are nearly nil if it's not being used in a crime.
In other words, these laws stop no one except maybe one or two goodie-two-shoes. What's the point?
Re:Licensing should be mandatory by bezenek · 2015-06-09 11:46 · Score: 3, Insightful

In most cases, software engineers do not need to be licensed. Maybe this is another item for the general licensing debate.

--
Omne ignotum pro magnifico.