He added that legislation more friendly to legitimate research might be quicker in coming if the relationship improves between white-hat hackers and the owners of the products they investigate.
“We urge companies to adopt internal policies for accepting friendly information from researchers,” he said. “There’s no downside to having a plan for dealing with vulnerabilities.
But he said the research community needs to be flexible as well. The policy at Rapid7, he said, is to notify the vendor of a vulnerability first, wait 15 days before notifying US CERT (Computer Emergency Readiness Team) and then another 45 days before making it public.
He said public pressure from the security community needs to be specific about what the flaws are, and propose solutions. But he said even more important is that researchers, “be responsible.”
Making a flaw public before even notifying the vendor, he said, is a sure way to undermine any move to provide legal protection for researchers.
“There will be a backlash in policy land,” he said, “and that could lead to more restrictions.”
Sign up for CIO Asia eNewsletters.