Don’t penalise cybersecurity researchers!

We wrote to CERT-IN regarding their new Responsible Vulnerability Disclosure and Coordination Policy that penalises cybersecurity researchers for vulnerability disclosures. Such a policy would make researchers reluctant about reporting vulnerabilities and so a robust disclosure mechanism is needed.

13 October, 2021
4 min read

On CERT-IN’s new Vulnerability Disclosure Policy

tl;dr

We wrote to the Indian Computer Emergency Response Team regarding a provision in their new Responsible Vulnerability Disclosure and Coordination Policy that penalises cybersecurity researchers for vulnerability disclosures. In our representation, we highlighted how such provisions would create an atmosphere in which researchers would be reluctant about reporting vulnerabilities and recommended that a robust disclosure mechanism be implemented that protects researchers from harm.

Background

Cybersecurity researchers in India have long faced threats for their work. Previously, we had highlighted the example of journalist Dissent Doe, who was sued for disclosing a leak in client data. A more recent incident is the case of the Mobikwik data breach earlier in March this year, in which Mobikwik threatened to take legal action against the security researcher who uncovered the  breach and suggested that the researcher was ‘trying to grab media attention’. We have written about the need to protect cybersecurity researchers before: our submissions on the National Cyber Security Policy and the Personal Data Protection Bill, 2019 contain granular recommendations on how to build a robust and transparent system for vulnerability reporting. Through our #DataProtectionTop10 series, we have further elucidated how the Personal Data Protection Bill, 2019 fails to adequately protect whistleblowers, digital security researchers, and vulnerability testers.

On 3rd September, 2021, the Indian Computer Emergency Response Team (CERT-IN) released its new ‘Responsible Vulnerability Disclosure and Coordination Policy’ with an aim to strengthen trust in the ‘Digital India’ and ‘Make in India’ campaigns, and to encourage responsible vulnerability research. The Policy provides information about where cybersecurity vulnerabilities in products and services can be reported, the details expected in vulnerability reporting, the procedure by which CERT-IN will examine and act upon such reports, and the timelines for resolving issues.

Now, while the policy furthers transparency (to an extent) and clarifies the process of reporting to CERT-IN, it does contain a  significant issue: the Policy effectively discourages the reporting of vulnerabilities! Clause 7 of the Policy states that:

The reporting party must ensure to comply with all the extant laws and regulations while discovering the vulnerabilities. Reporting a vulnerability to CERT-In does not imply being exempt from compliance. Discloser shall be responsible for any action performed by her / him for discovering the vulnerability whatsoever”.

Penalising good faith disclosures

Such provisions contribute to a disclosure regime in which security researchers would be liable under the Information Technology Act, 2000 (‘IT Act’), and are penalised for disclosures of genuine security vulnerabilities. Section 43 of the Information Technology Act, 2000 penalizes anyone who gains unauthorized access to a computer resource without permission of the owner, and so fails to draw a distinction between malicious hackers and ethical security researchers. Thus, even when researchers have acted in good faith they may be charged under the IT Act. As we have mentioned earlier, companies have exploited this loophole in the said provision to press charges against cybersecurity researchers who expose data breaches in their companies. The Personal Data Protection Bill, 2019, currently being considered by a Joint Parliamentary Committee, also fails to protect security researchers and whistleblowers. All of this leads to situations in which researchers are reluctant to report vulnerabilities for fear of being sued.

Clause 7 of the Policy is also in conflict with the Information Technology (The Indian Computer Emergency Response Team and Manner of Performing Functions and Duties) Rules, 2013 (‘2013 IT Rules’) which adapts a cooperative and collaborative approach. Rule 10 requires CERT-IN to interact with stakeholders including research organisations and security experts for preventing cyber security incidents. Under Rule 11(2), CERT-IN is obligated to collaborate with, among others, organisations and individuals engaged in preventing and protecting against cyber security attacks. Thus, by imposing complete and sole responsibility on cyber security researchers for actions undertaken during the discovery of a vulnerability, the policy is in conflict with the collaborative spirit of the 2013 IT Rules and so is a genuine impediment to effective collaboration.

Growing need for improved security

Digital security researchers and vulnerability testers are an important class of people in the cybersecurity arena. With our increased dependence on technology, data breaches have become the order of the day. We often come to know about these data breaches not from the data fiduciaries, but from independent researchers. For example, the Mobikwik data breach and the Facebook data breach reported earlier this year were brought into light not by the companies themselves but by independent researchers.

The importance of cyber security researchers is further underlined by the increase in data breaches and security incidents. Research conducted by Micro Focus shows that Indian organisations have seen a 58.2% increase in the volume of cyberthreats. Moreover, February 2021 witnessed a mammoth 9.04 million brute force attacks, compared to 1.3 million in February 2020. The study by Micro Focus also shows that 98% of Indian organisations have a shortage of IT Security Personnel, in violation of applicable law. As the COVID-19 pandemic causes more aspects of modern life to go digital, the threat, and indeed incidence, of such attacks will only rise further.

The economic impact of data breaches is also tremendous. An IBM study reported that the average data breach in India in 2021 cost Rs 16.5 crore,  an increase of 17.8% from 2020 (Rs. 14 crore). The per-unit data cost increased by 6.85% to Rs 5,900. The report also noted that the average time to detect a breach went up from 230 days to 239 days, while the average time to contain a breach went down from 83 to 81 days. This indicates a significant amount of information and data loss for users.

Protect cybersecurity researchers now!

It is imperative that CERT-IN’s vulnerability disclosure policy reflect the urgent need for a robust vulnerability reporting mechanism that protects vulnerability researchers from harm. To this extent, we recommended that clause 7 of the Policy be amended, and that an explicit provision for protection of genuine security disclosures from vexatious legal claims and proceedings must be specified. This must be complemented by adding a narrowly tailored good faith exemption for security researchers to the Schedule of the Personal Data Protection Bill, 2019.

Important documents

  1. CERT-IN’s Responsible Vulnerability Disclosure and Coordination Policy (link)
  2. IFF’s representation to CERT-IN regarding ‘CERT-IN’s Responsible Vulnerability Disclosure and Coordination Policy’ (link)
  3. IFF’s submissions on the national Cyber Security Policy (link)
  4. IFF”s Public Brief on the Personal Data Protection Bill, 2019 (link)
  5. Previous blogpost titled ‘Security researchers need legislative protection for responsible disclosure’ dated 15th January, 2020 (link)Previous blogpost titled ‘#DataProtectionTop10: Protecting whistleblowers, digital security researchers, and vulnerability testers’ dated 4th June, 2021 (link)

Subscribe to our newsletter, and don't miss out on our latest updates.

Similar Posts

1
Summary: A Global Witness and IFF report documenting YouTube and Koo’s ineffective response to flagged hate speech

With endorsement from civil society organisations and individuals, we wrote to electoral candidates, political parties, and parliamentarians, urging them to publicly declare that they will not use deepfake technologies to create deceptive or misleading synthetic content for the 2024 Elections.

3 min read

2
No place for tech: How digital interventions in NREGA are undermining rural social security

Mandatory digital ‘solutions’ introduced in the NREGA scheme by union and state governments, like Aadhaar-based payments, mobile monitoring apps, facial authentication and surveillance tools, are impinging on workers’ statutory rights and poking holes in the rural social security net.

8 min read

3
Into IT Standing Committee’s review of action taken by MeitY following its recommendations on citizen data security and privacy

This post breaks down the 55th report of the Standing Committee on Communications and IT, in which the Committee assesses the extent to which its recommendations on citizen data security and privacy were accepted and acted upon by the Ministry of Electronics and IT.

11 min read

Donate to IFF

Help IFF scale up by making a donation for digital rights. Really, when it comes to free speech online, digital privacy, net neutrality and innovation — we got your back!