[Openid-specs-risc] Fwd: [OECD ITAC] [SDE] [request for expert interviews] on security researchers "safe harbours"

Gail Hodges gail at oidf.org
Wed Jan 31 20:51:34 UTC 2024 

Shared Signals WG

Would any of you have a perspective that the OECD could benefit from in an interview about “safe harbours” for security researchers? See their asks below? If you have a view you think they would benefit from, I will put forward your name and contact information.

More generally, I think at least one person should speak to OECD about Shared signals as one capability that can help improve security infrastructure more generally.

Gail

Begin forwarded message:

From: Christine Runnegar via oecditac <oecditac at elists.isoc.org>
Date: January 30, 2024 at 6:10:49 PM PST
To: "oecditac at elists.isoc.org List" <oecditac at elists.isoc.org>
Subject: [OECD ITAC] [SDE] [request for expert interviews] on security researchers "safe harbours"
Reply-To: Christine Runnegar <runnegar at isoc.org>

 Hi all.

We have received a request from the OECD Secretariat for experts from ITAC to participate in an interview about “safe harbours” for security researchers in the context of security vulnerability detection, reporting, mitigation, etc.

While we are all super busy, given the very important role that security researcher play in Internet security, I hope that we will be able to provide some experts to help the OECD with this work. It would be really helpful to have good strong policy guidance in this area coming out of the OECD that could be used in other IG fora.

The details are below.

If you are interested, or have suggestions as to who might be interested in helping with this request, would you please let us know.

Best regards,
Christine

====

My name is Bénédicte Schmitt. I am working within OECD’s Digital Security and Safety unit, together with Laurent  Bernat (CCed) who carried out work in this area (cf at the end of this message). The 2022 OECD Council Recommendation on the Treatment of Vulnerabilities calls on governments to develop safe harbours to protect security researchers, and to encourage the creation of guidance defining “ethical hacking” with a view to provide a basis for safe harbours.

I am currently drafting a paper to help OECD Members implement these provisions in their national policies. The first draft will be discussed by the OECD Working Party on Digital Security in May.

I am carrying out interviews of experts involved in vulnerability disclosure to best inform this work and ensure a balanced and neutral outcome.

Interviewed experts will not be mentioned in the paper, apart from a generic acknowledgement in the foreword which may be pseudonimised or even anonymized.

Would you be available for a 1h interview on these topic? Here are examples of questions we could discuss:
·       What protection does your jurisdiction provide to researchers, if any? Is it sufficient, how could it be improved ?
·       What obstacles are currently preventing effective safe harbours from being created?
·       What would an ideal safe harbour protect researchers from?
·       What other policy measures than legislation could governments use to create and implement safe harbours?
·       Should a safe harbour contain measures to discourage wrongful legal threats and pressure on vulnerability researchers, and if so through which measures?
·       What key principles should vulnerability researchers respect to benefit from safe harbour protection?
·       Do you have examples of comprehensive guidance for security researchers that could be used to support safe harbour protection?
·       Do you think that a “chartered profession” with specific ethical rules should/could be created for vulnerability researchers?

In addition to those questions, feel free to send me any comment you may have when thinking of safe harbours and guidance for vulnerability researchers.
I am looking forward to getting your feedbacks on these challenging issues either by mail or through a video call.

Nb : Previous OECD work in this area:

  *   Recommendation<https://legalinstruments.oecd.org/en/instruments/OECD-LEGAL-0482>
  *   Policy note<https://web-archive.oecd.org/2021-02-10/579070-encouraging-vulnerability-treatment.pdf>
  *   Policy paper<https://www.oecd-ilibrary.org/science-and-technology/encouraging-vulnerability-treatment_0e2615ba-en>
  *   Background paper<https://one.oecd.org/document/DSTI/CDEP/SDE(2020)3/FINAL/en/pdf>

_______________________________________________
oecditac mailing list
oecditac at elists.isoc.org
https://elists.isoc.org/mailman/listinfo/oecditac

View the Internet Society Code of Conduct: https://www.internetsociety.org/become-a-member/code-of-conduct/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-risc/attachments/20240131/3e1d0f46/attachment.html>

More information about the Openid-specs-risc mailing list