Responsible Vulnerability Disclosure: An Expert Guide for Security Researchers
Get advice from security experts on how to responsibly disclose vulnerabilities discovered without fear of legal consequences or prison.
When it comes to responsible vulnerability disclosure, security researchers must understand how to disclose vulnerabilities safely to avoid legal consequences, fines, and worse—prison. Legal risks for security researchers are not to be taken lightly—even if security vulnerabilities are disclosed in "good faith", without practicing proper responsible vulnerability disclosure, the risk of legal action taken against a security researcher remains.
"Many hackers refrain from publicly disclosing privacy and security vulnerabilities they discover due to fear of legal retaliation. Consequently, this is creating an increasingly hostile digital frontier for everyone. The only viable remedy is to provide safeguards for hackers conducting good-faith security research." —Hacking Is Not A Crime
In this Q&A-style article, we will interview experts in the cybersecurity field which include a penetration tester, privacy lawyer, and security executive in the United States, including a world-renowned convicted hacker from Uruguay. We will also review the best practices for responsible vulnerability disclosure, providing a comprehensive guide to help security researchers navigate legal risks.
Why Responsible Vulnerability Disclosure Matters
Whether you've discovered software vulnerabilities, network vulnerabilities, or app vulnerabilities, it's critical to follow proper legal channels and obtain the necessary permissions required before reporting any security vulnerability to an organization or the appropriate authorities (e.g., the FBI, the Department of Homeland Security, or CISA). That's because there are several legal consequences of improper vulnerability disclosure that security researchers are likely to face, even if done unknowingly, and include:
- Lawsuits: Companies can file lawsuits against security researchers, which may result in legal expenses, fines, or criminal charges under laws like the CFAA. Researchers are at risk of being accused of unauthorized access, accessing beyond permitted areas, or causing harm to a computer system.
- Imprisonment: Mishandling vulnerability disclosure can escalate to criminal prosecution, and in extreme cases, researchers might face jail time.
- Financial Loss: Legal disputes can become very costly, requiring specialized legal counsel, court fees, and fines, while researchers may also lose income during these proceedings. Bail costs can further complicate matters.
- Damaged Reputation: A security researcher's reputation can be irreversibly tarnished, affecting future job opportunities in the cybersecurity industry.
- Retaliation: Without a safe harbor agreement or VPD, anyone who discloses vulnerabilities is not protected and is at significant risk of facing legal consequences if organizations choose to retaliate and pursue legal action or report them to authorities.
- Blacklisted: You can be viewed as a liability and become barred from vulnerability disclosure programs (VDP), any bug bounty program, or professional opportunities.
Additionally, from an organizational perspective, orgs face an increase in security risks when vulnerabilities are improperly disclosed. Publicizing vulnerabilities without proper handling increases the chances of zero-day attacks and exploitation. Companies may also face regulatory fines for failing to address vulnerabilities, while their reputation may be damaged due to remaining security flaws. Finally, orgs with a poor history of responding to ethical hackers’ vulnerability disclosures are at a greater risk of facing significant security breaches.
What Should Hackers Know About Disclosing Vulnerabilities Safely?
We interviewed Alyssa Miller, a seasoned hacker, and BISO with over 15 years of experience in cybersecurity. We asked her for advice on what hackers should know to disclose vulnerabilities properly, especially if they are fearful of legal repercussions. Here are some key takeaways:
Understand the Company’s Policies
Before diving into any system, it’s crucial to understand if the organization has a bug bounty program or clear reporting procedures.
Request a Safe Harbor Agreement
Before disclosing any vulnerabilities, always seek legal protection to avoid potential retaliation. According to Alyssa Miller, securing a Safe Harbor Agreement is an essential step in protecting yourself from legal consequences.
Alyssa further stresses the importance of withholding sensitive details if an organization refuses to sign the agreement.
She advises being clear but cautious when approaching companies.
Document Everything Thoroughly
Alyssa underscores the importance of keeping detailed records of your work:
If you’re able to create multiple accounts, ensure that you only access data you're authorized to use. This is crucial for avoiding legal complications, as Alyssa warns:
Legal Protections and Risks for Ethical Hackers
To explore the legal side of vulnerability disclosure, we spoke with PrivacyLawyerD, a data and privacy lawyer (whose full name is withheld for privacy reasons) with experience at a leading global streaming platform. We asked him for guidance on how security researchers can safeguard themselves legally when disclosing vulnerabilities.
Consult a Lawyer Before Disclosing Vulnerabilities
Before taking any action, PrivacyLawyerD stresses the importance of legal consultation.
According to PrivacyLawyerD, understanding the legal framework and consulting a lawyer—who can offer professional advice specific to your situation—is critical before making any disclosures. Even if the organization has a Bug Bounty program, there can be risks if they don’t follow their own guidelines.
Be Aware of Bug Bounty Program Risks
While Bug Bounty programs are designed to encourage vulnerability disclosure, PrivacyLawyerD points out that not all companies follow their own rules.
PrivacyLawyerD advises researchers to investigate how a company has handled disclosures in the past to avoid unnecessary risks.
Ensure Legal Protection with Documentation and Consultation
Even if you’ve acted ethically, the legal ramifications can be severe if the company retaliates. PrivacyLawyerD recommends making documentation and legal consultation an essential part of your process.
Real-World Lessons from Alberto Daniel Hill
We spoke with Alberto Daniel Hill, the first hacker in Uruguay to be imprisoned for disclosing vulnerabilities. His story sheds light on the risks security researchers face when legal protections aren’t in place. We asked him what he would have done differently.
Lessons from Hill's Experience
Hill’s story emphasizes the importance of being cautious, especially when dealing with companies that don’t have clear policies or agreements in place. His situation serves as a powerful reminder that even ethical actions can have devastating consequences without the proper legal protections in place.
How Hill's Case Could Have Been Different
Hill believes that having better legal safeguards and protections could have changed the outcome of his case. His advice to other researchers: take every precaution, no matter how small the vulnerability you’re reporting.
Don’t Be Naive—Always Protect Yourself
Hill reflects on his own naivety, admitting that he trusted the system too much. His story is a sobering reminder for all security researchers to never overlook the importance of legal protection.
To Find or Not to Find A Vulnerability
Fear of legal consequences has discouraged many security researchers from disclosing vulnerabilities, especially after hearing stories like Alberto Daniel Hill's or other cybersecurity professionals charged with computer crimes. We asked Phillip Wylie and Alyssa Miller for their thoughts on whether it's ethical or even advisable to find and disclose vulnerabilities without permission. Here's what they shared:
Is It Legal to Find and Disclose a Vulnerability Without Permission?
Phillip Wylie shared his perspective:
Facing Legal Repercussions for Ethical Hacking
Phillip Wylie also touched on how ethical hackers can face legal consequences:
What Makes a Security Researcher a Criminal?
Alyssa Miller highlighted the fine line between ethical research and criminal behavior, explaining how the CFAA (Computer Fraud and Abuse Act) can be broadly interpreted.
Advice for Businesses on Responding to Vulnerability Disclosures
Organizations often approach vulnerability disclosures with fear, uncertainty, and doubt (F.U.D.), labeling ethical hackers as "bad guys." Alyssa Miller and PrivacyLawyerD provide insights on how businesses should respond to good-faith disclosures from security researchers.
How Businesses Should Treat Ethical Hackers
Alyssa Miller shared her thoughts on how organizations can build trust with security researchers:
She further suggests offering compensation to researchers, even if they don’t demand it, and negotiating in good faith.
Building Stronger Relationships with Security Researchers
Alyssa Miller emphasizes that many organizations jump to legal action because they lack security awareness or security maturity, which leads to misguided reactions. She explains:
Alyssa further continues:
Understanding the Intentions of Security Researchers
Alyssa Miller stresses that security researchers generally have good intentions, even when they request compensation for their work. She elaborates:
Organizations should recognize this and avoid creating an environment of distrust. By doing so, they can prevent driving security researchers to disclose vulnerabilities publicly rather than through appropriate channels. Miller explains:
Why Public Disclosure Happens: Trust Issues in Vulnerability Reporting
Alyssa Miller notes that taking aggressive action against security researchers can lead to unintended consequences. She explains:
She challenges organizations with a thought-provoking question:
What Legal Pitfalls Do Businesses Face When Ignoring Researchers?
PrivacyLawyerD warns businesses about the consequences of ignoring or retaliating against ethical hackers:
He further adds:
Why Businesses React Negatively to Vulnerability Disclosures
PrivacyLawyerD explains the typical reactions of businesses:
He continues:
Why Legal Retaliation Damages the Security Ecosystem
PrivacyLawyerD adds that retaliation from companies is often counterproductive:
Nobody’s security is 100%, and nobody’s privacy is 100%. If you don't work to learn everything you can from privacy and security, then you're setting yourself up for failure.
He also notes:
The Impact of Treating Security Researchers Like Whistleblowers
PrivacyLawyerD highlights the larger issue at play:
How Companies Can Create a Secure, Cooperative Ecosystem
PrivacyLawyerD emphasizes:
He also recommends:
Dealing with Bug Bounty Program Failures
PrivacyLawyerD shares advice for researchers who encounter companies that fail to follow their Bug Bounty programs:
Companies Should Respect Security Researchers and Vulnerability Disclosure
In closing, PrivacyLawyerD shares an important piece of advice for companies: