How the Wassenaar Arrangement threatens responsible vulnerability disclosures

Security researchers are finding themselves encumbered by a 1996 international agreement to restrict the sale of "dual-use technologies," making it difficult to collect bug bounties.

Image: iStock/Rawpixel Ltd

Since the introduction of the first bug bounty program at Netscape in 1995, the creation of such programs has become commonplace in the industry, with Google, Facebook, Microsoft, and many other companies providing a cash bounty for the responsible disclosure of security vulnerabilities for enterprise and consumer products.

However, a proposed rule change to the Wassenaar Arrangement — an international agreement started in 1996 concerning the sale and export of military-grade weapons — threatens the ability of independent researchers to disclose vulnerabilities and provide proof-of-concept code in exchange for money. This rule change would have a substantial and chilling effect on the security industry, and would likely disproportionately affect independent, self-employed researchers from making a living on bug bounties.

Who wants the rule change, and what rule is changing

The US Bureau of Industry and Security (BIS) is proposing a licensing system for the export or in-country transfer of, among a much longer list of covered items, "technology required for the development of intrusion software; Internet Protocol (IP) network communications surveillance systems or equipment and test, inspection, production equipment, specially designed components therefor, and development and production software and technology therefor." This licensing system is on top of the 2013 decision that brings information security technology under the purview of the Wassenaar Arrangement.

Interestingly, the proposed rule change is subject to a 60-day comment period (which ends July 20, 2015), a fact that is noted as being relatively uncommon by Michael Mimoso at Kaspersky Labs' ThreatPost blog. The coverage at ThreatPost points out that the language used in the BIS proposal is both vague and overly-broad, noting that "carrying homegrown proof-of-concept exploits internationally for conference presentations, for example, constitutes a violation and could result in heavy fines, or worse." In a teleconference with ThreatPost, BIS Information Technology Controls Director Randy Wheeler stated that "Vulnerability research is not controlled nor would the technology related to choosing, finding, targeting, studying and testing a vulnerability be controlled."

Information from the Electronic Frontier Foundation (EFF) appears to indicate that the BIS does not fully comprehend how its rules would impact the security industry. BIS attempts to draw a distinction between "vulnerability research" and "software that is used to help develop 0-day exploits for sale"; however, many of the software tools used to find and demonstrate vulnerabilities are used by both responsible researchers who may collect a bug bounty, and those who would sell exploits on the black market. Naturally, proof-of-concept exploit code accompanies a large percentage of vulnerability disclosures. The definition of "sale" is also an issue of contention, as the exchange of money in a bug-bounty program could be interpreted as a sale under the vaguely-worded draft, which does not clearly enumerate protections for bug bounty programs.

What this is actually intended to target

These proposed changes to the Wassenaar Agreement are intended to target black hat hackers profiting from the sale of these vulnerabilities or finished products (spyware, trojans, etc.) to criminal organizations or governments using them for nefarious purposes.

The most visible of these targets is the uncreatively-named Italian organization Hacking Team, which sells software reportedly able "to break encryption and allow law enforcement agencies to monitor encrypted files and emails (even ones encrypted with PGP), Skype and other Voice over IP or chat communication." According to Motherboard, the US Drug Enforcement Administration (DEA) bought software from Hacking Team as early as 2012. Hacking Team has repeatedly denied selling its software to "countries that international organizations including the European Union, NATO and the US have blacklisted." Despite this claim, Reporters Without Borders named Hacking Team as one of its "Corporate Enemies of the Internet" in a 2012 report for providing hacking tools to oppressive regimes. Of note, Italy is a signatory to the Wassenaar Arrangement.

On July 5, 2015, a 400 GB document dump of files from Hacking Team, including emails and financial data, were shared on BitTorrent. According to coverage of this document dump at ZDNet, files indicate that despite claims that Hacking Team did not sell products to the Sudanese government, "the company instructed the Sudanese government to pay €480,000 ($530,000) by wire transfer. (ZDNet and TechRepublic are unable to verify the authenticity of the documents.) Among other information recovered in the document dump, the source code of Hacking Team's products has been uploaded to GitHub, and the Twitter account of Hacking Team had been compromised.

What's your view?

Will these proposed changes force you to go about the disclosure of vulnerabilities differently? Will you or your organization make a comment to BIS before the open comment period closes on July 20, 2015? Share your views in the comments section.

Also see

Note: TechRepublic and ZDNet are CBS Interactive properties.

About James Sanders

James Sanders is a Java programmer specializing in software as a service and thin client design, and virtualizing legacy programs for modern hardware.

Editor's Picks

Free Newsletters, In your Inbox