Security researchers are the first defenders against data breaches. Ethical hackers find vulnerabilities in systems and expose them to product vendors so they can be patched before they are exploited maliciously. Finding and exposing these vulnerabilities is not a criminal act, it is done with the intent of making the products safer for consumer use.Eighty-four percent of the survey participants did feel that more legislation is needed to protect people/organizations from malicious hackers, though many felt lawmakers need guidance – for 35 percent, it was "Yes, but in partnership with infosec experts." The survey also explored participants' own organizations' experiences in receiving vulnerability reports. Thirty-sixpercent said that their organization has received an unsolicited vulnerability report in the past, while about half (53 percent) said their organizations have an official channel where external security researchers can easily submit vulnerabilities found in their products or services. A quarter (24 percent) said their organization has been the target of an extortion scheme related to the release of vulnerability details. Tyler Reguly, manager of the Vulnerability and Exposure Research Team (VERT) at Tripwire, had this to say:
While it's a good idea for all organizations to be open to receiving research, 53 percent having an official channel is better than some stats we've seen in the past. Last year a report came out saying 94 percent of companies on the Forbes Global 2000 have no discernible way to receive reports about vulnerabilities in their networks. Vulnerability reports are submitted to help the company better protect themselves and their surfaces. The point of responsible disclosure is to build a safer internet. Those who have submitted vulnerabilities as part of an extortion theme are not representative of the responsible researchers.The survey results show that responsible security research remains a complicated issue. Some remain concerned about researchers looking into their product and services without their prior knowledge, but there's an important distinction between those who do this work for the betterment of society and those who do it for their own personal gain or other malicious intent. For more on Tripwire's position on security research, read our open letter on the Georgia legislation here: https://www.tripwire.com/state-of-security/government/why-we-believe-georgias-s-b-315-bill-will-increase-cybersecurity-risk/.