Vulnerability Disclosure Programs (VDPs) are not only being promoted by more and more organizations and officials, they’re an easy-to-implement yet critical part of any company’s security apparatus. But there are legal issues to consider, and we had a top cybersecurity attorney offering advice at the recent Security@ event.
Matthew J. Gardner is a lawyer at Wiley Rein, LLP, focused on cybersecurity risks, policies, and procedures. Prior to joining the firm, he spent 9 years as a federal prosecutor, specializing in computer crimes. In this session, he talked about emerging trends related to VDPs, how the federal government is approaching hacker-powered security, and the implications of the main governing law: the Computer Fraud and Abuse Act (CFAA).
As Matthew discussed during the session, white-hat hackers operate in a legal gray area. The broad language of the CFAA essentially covers any unauthorized access to any computer, including ethical hacking. The law is also, as Matthew put it, “a bit of a mess”, and that’s why attorneys tend to get involved and where VDPs can help.
While the language of the law states that any unauthorized access is illegal, Matthew talked about how a VDP serves as a good faith exemption and eliminates any ambiguity that might be misinterpreted by organizations or hackers.
“It boils down to consent,” said Matthew. “That is going to distinguish the line between what is legal and illegal, and a well crafted vulnerability disclosure program is going to make that granting of consent very clear.”
Watch Matthew’s full session to learn more about the benefits of VDPs, what organizations should consider as they craft their VDP, and the latest legal trends related to VDPs.