Security research stifled in key situations

As ransomware attacks and zero-day vulnerabilities continue to dominate headlines, security professionals are lamenting the sizable gulf that remains between those who want to share information and those tasked with protecting the company legally.

Incidents including the spate of ransomware attacks on companies around the world as well as critical bug disclosures have led to calls for private companies and government agencies to not only strengthen their internal security practices, but also better engage with outside researchers who can assess networks from a fresh perspective and sniff out critical security flaws.

“Use a 3rd party pen tester to test the security of your systems and your ability to defend against a sophisticated attack,” White House adviser Anne Neuberger wrote in a recent memo to companies. “Many ransomware criminals are aggressive and sophisticated and will find the equivalent of unlocked doors.”

Despite these efforts, however, many in the security research community continue to be frustrated with the legal walls that prevent them from sharing their findings with both other companies and the outside world.

A disturbing trend

While the decision of when and how to ethically disclose vulnerabilities to the public has long been one of contention between the hackers who suss out flaws and the software vendors that fix them, the debate has recently taken on a different tone.

One of the more problematic practices to arise in recent years is what some industry veterans see as misuse of nondisclosure agreements (NDAs) to not only silence external bug hunters, but also to trick them into one-sided research deals.

Katie Moussouris, founder and CEO of Luta Security and the architect of vulnerability research programs at Microsoft and the U.S. Department of Defense, said these predatory nondisclosure deals are frequently being used to isolate bug researchers, making them think they are being pitted against others to disclose a bug they have, in fact, exclusively uncovered. This, in turn, allows the company to sit on a report and leaves the hacker entirely out of the discussion on when a security flaw can be released to the public.

“A disturbing trend has come…