Encouraging coordinated vulnerability disclosure: the protection of vulnerability reporters
ENInformation and communication technologies can contribute to the achievement of all Sustainable Development Goals; however, they are not immune to vulnerabilities that may result in cybercrimes. Ill-intentioned actors worldwide exploit vulnerabilities – weaknesses, susceptibilities, or flaws in an asset, system, process, or control that can be exploited by cyber threats in both the private and public sectors. A number of countries around the world have approached this problem through policies of coordinated vulnerability disclosure (CVD). This section of the research aims to establish the differences in the scope of legal protection provided for vulnerability finders at the national level, particularly considering possible negative consequences once the vulnerability is established and revealed. It discusses legal provisions regulating the process of CVD and criminal law provisions ensuring that vulnerability researchers do not face criminal liability. The analysis is limited to an overview of the legislative perspectives of different EU countries, as existing regulation is compared with the aim of establishing the scope of a common approach existing among the Member States. Furthermore, this section proceeds with a review of existing regulation in the EU in this field, and continues with a discussion on the added value of EU-wide regulation obliging Member States to empower CVD by establishing legal regulation protecting vulnerability finders. There is no uniform approach toward the protection of vulnerability researchers in the European Union, primarily because only very few Member States have a comprehensive CVD policy, which includes different aspects of the protection of vulnerability researchers. The legal protection of a researcher may incorporate different aspects, such as the acknowledgment of the vulnerability researcher or the right to stay anonymous, as well as the right to receiveve remuneration for their efforts.Due to the patchy legal framework in different Member States, the scope of these rights varies significantly both in existing national policies and the practices of private organizations. The NIS 2 Directive will clearly change the patchy regulatory landscape at the European level by harmonizing approaches towards CVD, since it requires Member States to implement a national CVD policy. Additionally, under the new regulation Member States will have to nominate their CSIRTs as trusted intermediaries between the reporting researcher and the entities providing ICT services likely to be affected by the vulnerability, which will harmonize the status of national CSIRT within CVD policy. Additionally, since the need for a common approach toward the criminal liability of security researchers relates to the harmonization of criminal law provisions, the revision of the Cybercrime Directive would be a proper choice. The sustainable development of infrastructure, as sought by the United Nations (hereinafter – UN) in the agenda for sustainable development (United Nations 2015; OECD 2021), requires resilient information and communication technology (ICT) solutions. In the view of the International Telecommunication Union (hereinafter – ITU) (2021), ICT can help advance progress towards each of the 17 Sustainable Development Goals (SDGs) identified by the UN. The efficiency and affordability of ICT infrastructure and services are key factors helping countries to involve themselves in the digital economy, leading to the increase of their economic competitiveness and well-being. The majority of the world’s 42 least-developed countries have demonstrated monumental improvement towards the sustainable development of infrastructure (Goal 9), with meaningful effects in financial inclusion, poverty reduction and health improvement.The ITU considers that ICT equips states with measures to provide first-rate goods and services in such areas as health care, education, finance, commerce, governance, and agriculture. These technologies can contribute to diminishing poverty and hunger, improve health, set up new jobs, mitigate climate change, increase energy efficiency, and render cities and communities increasingly sustainable. The COVID-19 pandemic has expanded connectivity due to more individuals moving online for work, studying or staying in touch with family and friends over lockdowns and confinement. On the other hand, the pandemic and associated economic decline have resulted in additional problems for the accomplishment of the SDGs. Since the international community has vowed to learn from the global pandemic challenge and “build back better,” expanded connectivity and ICT may prove to be a major part of doing so by empowering countries to employ increased connectivity for better engagement with their citizens in achieving the SDGs (ITU 2021). However, ICT is not immune to vulnerabilities. Any software may contain bugs or security flaws which can be exploited to cause harm. In 2022, 22,500 new common IT vulnerabilities and exposures were reported – the highest annual number to date (Statista 2022). Research from the National Telecommunications and Information Administration (hereinafter – NTIA) (2016) demonstrates that many finders manage to identify vulnerabilities in the course of their daily online activities. Often, they do not intentionally search for them in IT systems (Kranenbarg et al. 2018). Having found a vulnerability, a finder can choose to do nothing, take advantage of the vulnerability or auction it on the black market, or decide to reveal the vulnerability publicly. Alternatively, the finder can privately disclose the vulnerability under the terms of existing policies. [Extract, p. 341-342]
