undefined | Better HN

0 pointscedws2y ago0 comments

I salute you for it. Take caution though.

The bad guys don't play by the rules so the rules only hinder the good guys from helping. I think Internet security would be in a better position if we had legislation to protect good samaritan pentesters. Even moreso if they were appropriately rewarded.

0 comments

6 comments · 2 top-level

nkrisc2y ago· 2 in thread

Why, you’d never catch a black hat hacker again. The authorities would ust reeling in one Good Samaritan after another!

cedwsOP2y ago

There is a big difference between discovering a vulnerability that allows you to forge tokens and immediately reporting it versus dumping terabytes of data on the darknet for sale.

eyegor2y ago

Unfortunately, door 1 is maybe $200 bounty and weeks or months of back and forth (if the corp doesn't have a clear bounty program) whereas door 2 has infinite upside. Honestly, it might make sense for a gov group to run a standardized bounty program for exploits with notable financial / privacy impact.

2 more replies

freejazz2y ago· 2 in thread

How do you propose such a law would work?

cedwsOP2y ago

  1. White hat submits a "Notice of Vulnerability Testing" document to target company (copy also sent to government body) including their information, what systems will be tested, and in what time window
  2. Company is required to acknowledge the notice within X hours and grant permission or respond with a reason that the test cannot take place
  3. White hat performs testing according to the plan
  4. White hat discloses any findings to the company (keeping government body in the loop)
  5. Company patches systems and may reward white hat at their discretion
  6. Government body determines if fines should be applied and may also reward white hat at their discretion

Something like that. The white hat would have legal immunity as long as they submit the document, stick to the plan, and don't cause damage.

freejazz2y ago

Nothing in your proposed law provides a way to distinguish between white hats and black hats, and instead it just presupposes that the person undertaking the conduct in question is a white hat.

j / k navigate · click thread line to collapse