Slashdot Mirror
Chilling Effect of the Wassenaar Arrangement On Exploit Research
Bismillah writes: Security researchers are confused as to how the export control and licensing controls covering exploits affect their work. The upcoming Wassenaar restrictions were expected to discourage publication of such research, and now it's already started to happen. Grant Wilcox, writing his dissertation for the University of Northumbria at Newcastle, was forced to take a better-safe-than-sorry approach when it came time to release the vulnerabilities he found in Microsoft's EMET 5.1. "No legal consultation on the matter took place, but Wilcox noted that exploit vendors such as Vupen had started to restrict sales of their products and services because of new export control and licensing provisions under the Wassenaar Arrangement. ... Wilcox investigated the export control regulations but was unable to clarify whether it applied to his academic work. The university did not take part. He said the provisions defining which type of exploits and software are and aren't controlled were written in ambiguous language and appeared to contradict each other."
It now becomes 100% legal to report any exploit to them an any time. Once an exploit has been submitted, they independently confirm it works and report the exploit to the appropriate author. They also give the author a deadline to fix, based on severity of the exploit - somewhere between one week and one year.
After that one deadline is up the Council itself will publish the exploit giving the original submitter full credit.
Anyone that has successfully submits an exploit gets official 'submitter' rights, granting them the right to vote on who replacements for the Academics. Anyone that has an exploit on their code submitted becomes an official 'victim' rights, granting them the right to vote on replacements for the Business council members. President continues to appoint the government chair.
excitingthingstodo.blogspot.com