UNSW calls on government to protect bug bounty hunters

By

Get white hats out of legal limbo.

Australia’s current cyber security consultations provide a chance to protect vulnerability researchers, according to UNSW.

UNSW calls on government to protect bug bounty hunters

In a submission [pdf] to the 2023-2030 Australian Cyber Security strategy discussion paper, the university’s Allen Lab and its business school’s regulatory laboratory argue that there’s no currently no protection for individuals “participating in good faith in a vulnerability disclosure program”.

As a result, the submission states, a “crime could be committed where a person believes they are participating in a vulnerability disclosure program, but their acts are not, in fact, ‘authorised’ under the terms of that program”.

It’s also possible that someone participating in a vulnerability disclosure program could inadvertently commit a crime, merely because they misinterpreted an ambiguity in the program’s rules.

Protecting bug hunters would need legislation both at the federal and state level, the submission said.

This may be addressed, the submission stated, by following through on plans for a proposed Cyber Security Act at the federal level, which could include a definition of what constitutes a vulnerability disclosure program.

The university also suggested an opt-in registry be kept of such programs, with organisations running disclosure programs agreeing to meet standards of “visibility, responsiveness (including transparent timelines), clarity about rewards (recognition or monetary), agreement to make vuln public after a reasonable time”.

The submission stated that legal protection could either be a definition of allowable conduct for participants in disclosure programs; or create a defence to computer crime offences if conduct is within the definition of “good faith participation” in a program.

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © iTnews.com.au . All rights reserved.
Tags:

Most Read Articles

Eagers Automotive finds unauthorised access to parts of IT systems

Eagers Automotive finds unauthorised access to parts of IT systems

Hackers hit Victoria's court recording database

Hackers hit Victoria's court recording database

St Vincent's Health Australia warns cyber attack forensics could "take some time"

St Vincent's Health Australia warns cyber attack forensics could "take some time"

Yakult Australia confirms cyber incident

Yakult Australia confirms cyber incident

Log In

  |  Forgot your password?