Kiwi bug hunters could be better safeguarded from litigation if government agencies and businesses adopt new guidelines designed to reduce the risked involved in reporting vulnerabilities.
New Zealand and Australian computer crime laws are sufficient ambiguous that vulnerability researchers risk prosecution should they report, without prior agreement, flaws found in a vendor or agency's websites or applications.
The loose laws mean many researchers do not disclose vulnerabilities they found.
Lateral Security technical director Nick von Dadelszen and Ben Creet, a senior policy analyst for New Zealand's Department of Internal Affairs, were part of a team of security industry pros who published the draft guidelines on Saturday ahead of a talk at Kiwicon 7 in Wellington.
Dadelszen said he hoped the guidelines would be adopted by NZITF, whose members include some of New Zealand's biggest telcos, banks and government agencies. (pdf)
"If I find [random vulnerabilities when I'm doing a test,] the risk for me to tell anyone about it is too high to accept," Dadelszen told delegates at Kiwicon.
"And if it's too hard for me to accept then it's going to be too high for a bunch of other people in this room to accept -- so we just don't tell anyone.
"This is a bad state of play for New Zealand and I think if we actually want to improve security, we need to fix this and start telling people about the bugs."
Kiwicon 7 presentation podcast
The guidelines, which are open for public comment for the next six weeks, were loosely based on Danish standards that apply a set of procedures for handling vulnerability reports to government agencies in that country.
They are divided into six "expected norms" of behaviour for handling vulnerability reports, and include advanced tips for bug hunters and IT infrastructure operators.
The guidelines aim to establish and maintain trust between bug hunters and affected organisations in order to encourage researchers to be forthcoming with knowledge of security flaws.
Creet said organisations should publish formal guidelines in an accessible area of their websites for researchers to find. When bugs are reported, business should update the researcher on the efforts to address the flaws every week.
But vulnerability researchers should be careful not to blackmail companies when reporting bugs.
If you say to [an organisation] 'you must fix this vulnerability or else I'm going public', technically that is blackmail," Creet said, adding that he was not giving formal legal advice.
"If you say to them: 'you should fix this vulnerability, and by-the-way I'm going public in 30 days', that is not blackmail."
The distinction was that the researchers intentions should not be based on the intentions of the organisation in question.
Dadelszen said he was unaware of similar guidelines being developed in Australia.