By Ilona CohenChief Coverage Officer, and Michael WoolslayerCoverage Counsel
The U.Ok. is within the midst of a multi-year evaluate of its main anti-hacking statute, the Computer Misuse Act (CMA). The CMA was initially enacted in 1990 and it has been up to date a number of instances to mirror continued adjustments in expertise and cybersecurity. The present evaluate of the CMA is wide-ranging and consists of session on the affect of the CMA on good religion safety analysis. HackerOne prioritizes the safety of hackers engaged in good religion safety analysis and seeks readability for organizations that work with the hacking group. We now have repeatedly engaged with policymakers on these matters in conferences and in correspondence with officers. Earlier this month, HackerOne submitted official feedback to the U.Ok.’s Cyber Coverage Unit recommending that any CMA revisions be in step with world greatest practices that promote and encourage accountable vulnerability analysis and disclosure.
HackerOne’s letter asks that the revision of the CMA makes clear and unquestionable that the operation of a Vulnerability Disclosure Program (VDP), and the act of discovering and reporting a vulnerability via that VDP, is an formally sanctioned and even inspired follow.
Specifically, the letter emphasizes that the revised CMA ought to make clear that impartial safety analysis undertaken in good religion for the aim of discovering and having safety vulnerabilities fastened is just not topic to felony sanction beneath the CMA. HackerOne additional advocated that any statutory protection within the revised CMA doesn’t depend on certifications, schooling, and/or formal coaching necessities, as that might unfairly drawback the self-educated and self-employed part of the hacking group.
The revision to the CMA is the most recent in a collection of strikes by worldwide governments to guard and encourage good religion safety analysis. Earlier this 12 months, the Belgian authorities introduced that Belgian safety researchers could hack any Belgian firm with out prior permission so long as they adhered to the federal government’s vulnerability disclosure tips, although the policy has some shortcomings. Final 12 months, the U.S. Division of Justice introduced updates to its charging coverage beneath the Pc Fraud and Abuse Act (the U.S. equal of the CMA) that will increase protections for good religion safety analysis, sparking the creation of HackerOne’s Gold Normal Secure Harbor. Find out more about how one can profit from adopting HackerOne’s Gold Normal Secure Harbor.
HackerOne continues to assist the hacking group and our prospects’ collaboration to construct a safer web, partially by pushing for legislative change that acknowledges coordinated vulnerability disclosure and bug bounty as a greatest follow for rising resistance to cyberattacks. Simply final week, we furthered our advocacy for insurance policies encouraging vulnerability detection, administration, and disclosure greatest practices and improved protections for good religion safety analysis additional by forming the Hacking Policy Council together with different business leaders.
The total textual content of HackerOne’s letter to the CMA is on the market here.
Author: Ilona Cohen
Date: 2023-04-20 00:00:00