The regulations surrounding security researchers who find vulnerabilities in critical systems are unclear in countries around the world. The article argues that States “need to clarify their understanding of responsible disclosure” as existing regulations have failed to protect security researchers. Many corporations are struggling to fill cybersecurity roles so to fill the gap, many are participating in Bug Bounty Programs (BBP’s) where security researchers are offered a prize to find and report vulnerabilities. These ethical hackers are often far more effective than corporations hiring additional software engineers yet are neglected and hampered by “institutional deficits, legal uncertainties, or even political threats” leading to many to simply refuse to disclose vulnerabilities they have found. Many rules are inconsistent as while some attempt to protect researchers, others prohibit unauthorized access to computer systems, which is necessary for a researchers work, even for “white hat” hacking purposes. Researchers have also been pulled into global conflicts as for example, recently, payments to researchers in Russia and Belarus or Ukraine were blocked by the HackerOne service. Additionally, as some states block foreign researchers from disclosing vulnerabilities, the collaboration and relationship between white hat hackers and international BBP’s may be dead. The article argues that there need be more measures to protect private security researchers by clearing up legal uncertainties, preventing criminalization of researchers and to shape international standards for ethical hacking.
