November 19, 2003 5:09 PM PST
Security expert proposes hackers' union
The group, which would be geared toward researchers and not software vendors, would provide guidelines on vulnerability disclosures and would lobby against legislation that could stifle security researchers' ability to tinker with software. Nearly three-dozen people have pledged financial support to help get the yet-unnamed group started, said Thor Larholm, senior security researcher for PivX Solutions.
Get Up to Speed on...
Get the latest headlines and
company-specific news in our
expanded GUTS section.
The move, first publicly proposed on Tuesday to a security mailing list, is the latest by hackers and security researchers to fight off corporate public relations and government policies that aim to suppress information about vulnerabilities from the public.
Security researchers and hackers have long worried that companies may succeed in using the controversial Digital Millennium Copyright Act (DMCA) to quell their reports of vulnerabilities in software products. Several companies--including Adobe Systems, Diebold Election Systems, GameSpy, Hewlett-Packard and SunComm Technologies--have used the DMCA to go after amateur and professional researchers who have found flaws in their products.
A criminal case, which resulted in the conviction of a system administrator on a single charge of computer crime, was recently overturned, but only after the researcher involved served out his 16-month sentence.
Any group that represents the interests of vulnerability researchers could counter the Organization for Internet Safety--a group founded by Microsoft and several security firms that perform work for the software giant--which has proposed guidelines for the responsible disclosure of flaws.
The new group would help security experts contact software makers, make sure they are credited for their work, lobby against legislation that blocks research, and in some cases, act as a proxy between researchers and companies.
"The vast majority of researchers are reporting vulnerabilities on a completely voluntary, noncontractual, noncommissioned basis, freely helping the vendor to secure their products," Larholm said in an e-mail to the security mailing list. "A lot of people have proposed organizations that deal with one or another of these aspects, though not all."
The public disclosure of software vulnerabilities originally gained momentum in the early 1990s, because operating system and application makers did not always respond to people who found security holes in their products. By telling the public about the security problems, the researchers ensured that software makers couldn't ignore the issue.
Many companies, such as Microsoft, hope to set guidelines for the responsible disclosure of vulnerabilities. Larholm said any group would make sure that the vulnerability researchers' interests also are considered.
"Establishing an organization that represents security researchers is not just for the good of the researchers themselves, it is for the good of the community and industry as a whole," he wrote in the e-mail.