HP Pulls Out of Hacking Contest, Citing Changes to Wassenaar Arrangement

September 08, 2015

The Pwn2Own hacking competition to be held at the PacSec conference in Tokyo, Japan has lost one if its biggest sponsors as Hewlett-Packard pulled out over legal concerns regarding the recent changes to the Wassenaar Arrangement, an international treaty that governs software exploits. According to event organizer Dragos Ruiu, HP and its Zero Day Initiative had declined to participate due to Japan’s implementation of Wassenaar. The decision was made a couple of months ago after consulting with internal legal and compliance experts. The motive of HP’s decision was based on the real-time transfer of research from the researcher to HP ZDI to the affected vendor.

What is the Wassenaar Arrangement?

The Wassenaar Arrangement is a multilateral export control regime for Conventional Arms and Dual Use Goods and Technologies. The primary goal of the arrangement is to prevent the proliferation of conventional arms such as uranium, and keeping them out of the hands of regimes that could use them against their own people and neighbors. In 2013, the agreement was amended to include internet-based surveillance systems, resulting in the shift of new technologies like intrusion malware, intrusion exploits, and IP network surveillance systems under the export control regime.

Last year, Wassenaar added cyberweapons to the list, limiting the ability of security researchers to disclose vulnerabilities and provide proof-of-concept code in exchange for money, as a lot of security vendors offer bug bounties.

Why is it important?

A volume of cybersecurity research involves hunting for vulnerabilities and bugs found in software, applications, and systems that hackers can exploit and use to break into computers. Over the years, the pursuit of these vulnerabilities has dramatically improved cyber security.

When bugs are found before a patch is released, they are called zero-days. Typically, security researchers report these discovered zero-days to companies in order for them to fix the bugs. Sometimes, a researcher may sell the zero-day to other parties—such as cybercriminals or other foreign parties—who might exploit them. The Wassenaar agreement aims to close this gaping loophole. Unfortunately, the changes would technically make security research on zero-days illegal.

As vague as the updated proposal is, Trend Micro Chief Technology Officer, Raimund Genes believes that as long as it prevents the sale of vulnerabilities, the motion makes good sense. “Security vendors need to stop paying money and go back to promote and eventually hire these excellent researchers. This rule change is welcome as long as  governments commit that they don’t buy vulnerabilities for cyber offense anymore. They should convert their own bug hunters into white hats that can make the digital world a safer place by responsibly disclosing the vulnerabilities before they are misused in the wild,” he shares.

HIDE

Like it? Add this infographic to your site:
1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page (Ctrl+V).

Image will appear the same size as you see above.