UNSW calls on government to protect bug bounty hunters

Australia’s current cyber security consultations provide a chance to protect vulnerability researchers, according to UNSW.

In a submission [pdf] to the 2023-2030 Australian Cyber Security strategy discussion paper, the university’s Allen Lab and its business school’s regulatory laboratory argue that there’s no currently no protection for individuals “participating in good faith in a vulnerability disclosure program”.

As a result, the submission states, a “crime could be committed where a person believes they are participating in a vulnerability disclosure program, but their acts are not, in fact, ‘authorised’ under the terms of that program”.

It’s also possible that someone participating in a vulnerability disclosure program could inadvertently commit a crime, merely because they misinterpreted an ambiguity in the program’s rules.

Protecting bug hunters would need legislation both at the federal and state level, the submission said.

This may be addressed, the submission stated, by following through on plans for a proposed Cyber Security Act at the federal level, which could include a definition of what constitutes a vulnerability disclosure program.

The university also suggested an opt-in registry be kept of such programs, with organisations running disclosure programs agreeing to meet standards of “visibility, responsiveness (including transparent timelines), clarity about rewards (recognition or monetary), agreement to make vuln public after a reasonable time”.

The submission stated that legal protection could either be a definition of allowable conduct for participants in disclosure programs; or create a defence to computer crime offences if conduct is within the definition of “good faith participation” in a program.