US to rewrite controversial zero-day export policy

The US Department of Commerce will revise regulations intended to restrict the export of exploits and intrusion software following a flood of complaints from the technology industry and researchers.

An initial draft of the regulations, published in May, attracted hundreds of comments, many of which criticised the rules for being so broad as to bar the easy sale of standard tools used to test electronic security.

"All of those comments will be carefully reviewed and distilled, and the authorities will determine how the regulations should be changed," a spokesman for the Commerce department said.

"A second iteration of this regulation will be promulgated, and you can infer from that that the first one will be withdrawn."

The spokesman said the process will take months.

The step had been expected after the avalanche of objections from major technology companies as well as security specialists.

Even some activists who applauded the idea of cracking down on the sale of tools to despotic regimes that spy on dissidents said the draft had been clumsy.

Some version of regulation is called for under the latest iteration of the Wassenaar Agreement among 41 countries, which limits the movement of "dual-use" technologies sought for both peaceful and military purposes.

The US plan had gone further than other countries in taking aim at tools for finding software flaws.

"We're very encouraged," said Joseph Lorenzo Hall, chief technologist at the nonprofit Centre for Democracy & Technology.

He said he expected the next set of rules to be more narrowly tailored and added that the trade group would keep pushing to deregulate cryptography software and protect security research.