“They dismissed it, and they didn’t fix the problem,” he told The Australian Financial Review.
In early 2016, he was at the airport, on his way to a cyber security conference where he planned to disclose the problem, when he got an email from the company behind the building management software, threatening to sue him if he went ahead.
“The lawsuit would have bankrupted me,” he said.
Mr Farrell never got on the plane, never fully disclosed the problem publicly, and to this day can’t even name the company under a settlement he made to avoid the lawsuit.
The company eventually patched the problem, he said.
Mr Farrell said legal protection for ethical security researchers who responsibly report security flaws was desperately needed in Australia and around the world.
Peter Coroneos, international vice-president of the Paris-based Cybersecurity Advisors Network (CyAN), said stories like Mr Farrell’s were all too common.
Copyright laws, which make it illegal to circumvent digital protection mechanisms, were frequently used to silence researchers and ethical hackers who found bugs.
Data protection law, contract law, even criminal law were all being weaponised and turned on researchers to stop the public finding out about serious security flaws in the products and platforms they use, he said.
“There is still fear and trepidation in the hearts and minds of bona fide zero-day researchers,” Mr Coroneos said, referring to the term for security flaws that have yet to have a patch made available.
“This fear has a rational basis. It’s grounded in a history of legal threats and actual litigation being levelled at the researchers by vendors who take exception to the fact that third parties are finding fault with their product.”
Security researchers are the public safety whistleblowers for technology.
— Katie Moussouris
Mr Coroneos, the former head of Australia’s Internet Industry Association, is spearheading a global campaign to go through laws “with a fine-tooth comb” and amend those that prevent responsible vulnerability disclosure: a process that usually entails researchers giving software and hardware makers time to patch a problem before it is reported more widely.
The Department of Home Affairs, one of several government departments responsible for cyber security, declined to comment on whether it was considering amending laws to make disclosures safer for researchers.
But the department was “considering stakeholder feedback about how to encourage greater uptake of responsible disclosure policies in Australia”, a spokesman said.
A responsible disclosure policy “is a process adopted by a software owner that sets out how vulnerabilities can be reported and when vulnerabilities can be disclosed publicly”.
Having formal RDPs in place “can reduce the potential for litigation between security researchers and software owners,” the department spokesman said.
Internationally, the campaign has received high-profile backers.
The former chief executive of the National Cyber Security Centre in the UK, Ciaran Martin, supported the call for law changes. “Ethical cyber security research needs proper legal protection if it’s to help us clean up the digital environment.”
Katie Moussouris, who founded Microsoft Vulnerability Research and created Microsoft’s bug bounty program, said: “Security researchers are the public safety whistleblowers for technology that the world increasingly depends upon.
“It’s high time the world’s laws provided these good faith hackers safer ways to perform their vital research, (which is) essential to securing the modern world.”
We are sorry that this post was not useful for you!
Let us improve this post!
Tell us how we can improve this post?