Chris Soghoian of the ACLU asks the US Department of Commerce to make it easy for security researchers to report security flaws without fear of being locked up for exposing important vulnerabilities:
Today, the ACLU submitted a formal comment to the Internet Policy Task Force recommending several ways that companies and government agencies can encourage security researchers to disclose security flaws that make their websites and other computer systems vulnerable.
Far too many of the cybersecurity legislative proposals discussed in Washington (and opposed by the ACLU) would hurt civil liberties by expanding the government’s surveillance powers. Improving the process through which computer security vulnerabilities are disclosed to companies and government agencies, on the other hand, will increase cybersecurity while protecting privacy – a win-win.
All computer systems have programming flaws and design mistakes that can be exploited, and no system will ever be one hundred percent secure. An unfortunate reality is that these flaws can be discovered and exploited by criminals and foreign governments’ intelligence services and militaries, who will not responsibly disclose the flaws, but rather, will exploit them for their own gain. But sometimes security researchers who have discovered security flaws and have pointed them out to those responsible have been met with legal threats or in some cases, lawsuits. These legal risks chill research and can discourage researchers from notifying the companies or organizations responsible for the vulnerable code.
Sometimes I wonder – and this is some real tinfoil hat thinking here – if the government wishes to keep security vulnerabilities secret so the NSA can continue to exploit them against our adversaries for as long as possible. The flaw here is that if this is what the US government wishes, they sure are taking a huge leap of faith that those very same adversaries have not, themselves, found the same vulnerabilities and 1) patched them -and- 2) are exploiting the flaws against the US and other nations.
It may sound far-fetched but I do not believe it to be too off-base.