In a world where the word “hackers” is used to refer to mischievous people working out of dark attics, those hackers that kindly point out you forgot to lock your door are often forgotten. These so-called ethical hackers that responsibly disclose vulnerabilities to the right authorities find themselves overflown with legal threats from time to time. Nevertheless, the real issue undermining responsible disclosure is cultural, not legal.

Responsible disclosure is the act of pointing out vulnerabilities in a web application, a software package or any other information system such that it can be fixed without getting exploited. For example, pointing out a vulnerability to the owner of a website can be deemed responsible, whereas placing it on an underground hacker forum is irresponsible.

The Ethical Hacker as Vigilant Neighbour
When I still lived with my parents, we had a neighbour who always knew what was going on in the street. Whenever we forgot to lock the car, he would point this out, and meddling kids where asked to behave. Having such a person living close to you is very helpful: it increases the (sense of) safety in the neighbourhood.

An ethical hacker has a comparable position in society as the vigilant neighbour has, given that he is not a hired penetration tester. He notices vulnerabilities in web applications and tells the owner of the website about them. Whether he does this because he wants his own personal details better protected or because he feels the moral obligation does not matter, as long as there is no malicious intent. Simply put, an ethical hacker should not break information systems or steal data stored in those systems.

The Good Guys Are Not Getting Prosecuted
Generally, most ethical hackers are on the good side of the law, even though the news sometimes makes us believe otherwise. As long as no clear break-ins, data thefts or damages occur, there is not much ground for persecution. In other words, when ethical hacking results in a criminal offence, the attacker has probably gone too far. Normally, the only thing that could get damaged should be the reputation of the vulnerable website, and they had it coming.

I am not in favour of creating special cases for responsible hackers in the criminal code. This would create a grey area, which could be abused by malicious hackers. Additionally, ethical hacking should go as far as noting the vulnerability and point it out. It should not end with a proof of concept exploitation, which could have unexpected results.

The Management Should Stop Watching Scary Films
The real problem with responsible disclosure is cultural. It seems like the managers behind most information systems took a long night off and watched all scary hacking thrillers Hollywood has to offer. This has resulted in a disproportional fear of hackers and the general idea that hacking is a form of black magic executed with a computer. However, in practice, there are also a lot of hackers that are security experts and want to make the digital world a better place. Additionally, most “evil” hackers are not powerful or knowledgeable at all.

Whereas the locking of a car or the closing of a window is an understandable security concept, the way computer hacking works is much more difficult to grasp. This leads to the wrong perception of hacking, and, thus, to a fearful and disproportional response to those who want to be helpful. Although most legal threats will have no standing at all in court, this still scares of the ethical hackers, as they do not want to enter a legal process to begin with. Therefore, responsible disclosure is plagued by a cultural misunderstanding.

Responsible Disclosure: It Is Time for a Cultural Change
Ethical hackers can be used to strengthen the overall security of our information infrastructure. This does not require large changes in our criminal legislation, but a change in our common perception of hacking. The grave fear of hacking needs to become a realistic understanding, where people are able to distinguish between good and evil. To make this possible, governments could start with giving the right signal and start implementing good and responsible disclosure protocols. This allows us to use the power of ethical hacking to mitigate real threats.

Leave a Reply

Your email address will not be published. Required fields are marked *