Google: Wassenaar vulnerability rules 'dangerously vague' when clarity is crucial

Google believes the regulations will do little more than harm the bug bounty market and degrade the security industry as a whole.

new-locker-crypto-repents-imagecredsymantec.jpg
Symantec

Google has spoken out against US proposals to regulate the vulnerability market, saying the changes would ultimately harm users.

New export regulations, known as the Wassenaar Arrangement, were originally aired in May as a way to tighten and restrict the sale and export of so-called intrusion software and software vulnerabilities.

Those who export security-based tools, ranging from penetration testing packages to network scanning software or vulnerabilities -- such as zero-day exploits -- can expected to be affected by the rules, which Google believes are "dangerously vague."

Google formally submitted comments on the proposals to the United States Commerce Department's Bureau of Industry and Security (BIS) before publicly explaining the firm's stance on Monday. In a blog post, Google Legal counsel Neil Martin and Chrome Security Team member Tim Willis said:

"We believe that these proposed rules, as currently written, would have a significant negative impact on the open security research community. They would also hamper our ability to defend ourselves, our users, and make the web safer.

It would be a disastrous outcome if an export regulation intended to make people more secure resulted in billions of users across the globe becoming persistently less secure."

The tech giant believes the proposed rules are "dangerous broad and vague," and, overall, are simply not feasible. In relation to Google itself, the new regulations as they are would force the company to request thousands -- perhaps tens of thousands -- of export licenses.

Add multiple countries and locations, the variety of communication methods used in relation to software vulnerabilities -- including emails, review systems, physical meetings, bug tracking and instant messaging -- and you have snags in a framework which would take an unfeasible amount of time to unravel.

This, in turn, would potentially delay bug vulnerability disclosure processes, verification and rewards.

Google also says you "should never need a license when you report a bug to get it fixed."

"There should be standing license exceptions for everyone when controlled information is reported back to manufacturers for the purposes of fixing a vulnerability," Google says. "This would provide protection for security researchers that report vulnerabilities, exploits, or other controlled information to any manufacturer or their agent."

Bug bounties are an important part of the software security development lifecycle. It gives vendors the chance to use third-party specialists in the quest for vulnerabilities missed during earlier stages of development and improve the overall security of products as the threat landscape changes. Security researchers can submit flaws and receive both credit and financial rewards for their work.

Bug bounties which offer financial rewards are relatively new and completed on an ad-hoc basis -- but could be dissolved to the detriment of both software vendors and users should license requirements for individual submittals be invoked.

Without amendments and exceptions, the Wassenaar Arrangement could make vulnerability disclosure too difficult -- and potentially turn security researchers towards less legitimate sources to find a return on the work required to find vulnerabilities and exploits.

See also: Bug bounties: 'Buy what you want'

Not only could the rules impact on security researchers looking to submit vulnerabilities, but they could also affect how companies worldwide share information with their staff. The company says that no matter where their employees are based, company and engineer -- for example -- should be able to share information concerning intrusion software no matter the location.

Finally, Google says these controls should be changed as soon as possible, and clear, easy-to-understand instructions need to be produced to help everyone understand the need for licensing.

The tech giant says, "clarity is crucial." This also relates to how intrusion software controls and exports are managed. Licensing may, in an ideal world, be a way to harness and better control the vulnerability market -- but a balance between realistic expectations, disclosure and company policies must also be put into place if such a scheme is going to be successful.

Read on: Top picks