cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Flyslinger2
Community Champion

Security Practitioner - Lawsuits

If you are anything like me your career is about the application of security in all aspects of your life, both personal and professional.  It's also your passion. I was a CISSP practitioner before it was formally identified.  I was a late bloomer as far as actually getting the cert because of my disdain for the certification process-for all certs, not just (ISC)2.  I have morphed in my thinking.

 

Now we have bodies like (ISC)2 that is devoted to the standards of security.  The U.S Federal Government has formalized their requirements for IT professionals and what certifications are required to conduct business.  Most of those are satisfied with just the CISSP cert.  It's a recognized profession and hopefully you get rewarded handsomely for your knowledge.

 

Sadly, there are many organizations who do not subscribe to the methodologies that are employed during investigation of vulnerabilities.  Some offer rewards for bug reporting just to turn around and abuse the analyst.  This article reflects that: 

https://www.zdnet.com/article/chilling-effect-lawsuits-threaten-security-research-need-it-most/

 

Do we:

1. Buy insurance to protect our activities?

2. Stop the analysis and let the companies suffer the consequences?

3. Anonymously report the findings on boards where it will gain traction but have adverse results for the company that has the issue?

 

Interesting points to ponder.

4 Replies
Baechle
Advocate I


@Flyslinger2 wrote:

 

Sadly, there are many organizations who do not subscribe to the methodologies that are employed during investigation of vulnerabilities.  Some offer rewards for bug reporting just to turn around and abuse the analyst.  This article reflects that: 

https://www.zdnet.com/article/chilling-effect-lawsuits-threaten-security-research-need-it-most/

 

 


Mark,

 

This article was long but worth the read.  I think that this kind of plays back into the earlier discussion we had for U.S. law over what point a person achieves unauthorized access.  

 

So, for example, in the case of the Johnny Xmas reveal of a confidentiality flaw in student ID cards; he was given a card and practically all he did was look at it.  This was the clearest case in the article of someone using a lawsuit as a weapon to punish someone else simply making an observation about a security flaw.  

 

In many of the other scenarios though, I wonder to what depth the "research" went without prior authorization by the targeted organization.  Several of these seem* to be more of a problem with the "researchers" failing to conduct their due diligence as to what activities they are expressly authorized to do under the bug bounty programs, prior to undertaking that activity.  I say that because of my own (biased) experience where eventually the researcher admits to exceeding the permitted activities and sometimes admits to never even confirming what the permitted activities were (as if bug bounty program == free range do do whatever the researcher wanted).

 


@Flyslinger2 wrote:

 

Do we:

1. Buy insurance to protect our activities?

2. Stop the analysis and let the companies suffer the consequences?

3. Anonymously report the findings on boards where it will gain traction but have adverse results for the company that has the issue?

 


I think there is an additional option to consider:

 

4.  Perform the due diligence of confirming what is expressly authorized security research through bug bounty programs, or obtain the necessary permission via a legal agreement prior to conducting research.

 

Sincerely,

 

Eric B.

Flyslinger2
Community Champion

#4 is a perfect addition.

Beads
Advocate I

Consider the source of the bug or exploit and look to history as a guide as to how they will respond in the future. Legitimate bug bounty programs seem to be flourishing again so there is some hope. Others are not so open minded and will hammer you until you lawyer up for the privilege.

 

Those companies who have publicly sued researchers in the past should be left alone and report those vulnerabilities to those with deeper pockets like zero day and do it anonymously if need be.

 

As far as insurance goes unless your a high profile security researcher your probably fine without. If your the kind of researcher who presents at BlackHat or DefCon your likely to find a patron or two who will help. Smaller cons (Thot, Derby, CircleCity) probably won't find much patronage. Advance at your own peril.

Baechle
Advocate I

Brent,

 

I just went and did a survey of a handful of primary liability insurers. 

 

Many of them offered "cyber" policies as an add-on to the traditional liability insurance. 

 

A hand full offered 3rd party insurance (for example, a contracted IT service provider); but most professional services liability policies already included "services and products" in their language, which would appear to cover "cyber" if it was in fact, a service or product.

 

Do you have any examples of insurers that underwrite policies for researchers?

 

Sincerely,

 

Eric B.

 


@Beads wrote:

 

As far as insurance goes unless your a high profile security researcher your probably fine without. If your the kind of researcher who presents at BlackHat or DefCon your likely to find a patron or two who will help. Smaller cons (Thot, Derby, CircleCity) probably won't find much patronage. Advance at your own peril.