The Center for Cybersecurity Policy and Law today announced two new initiatives aimed at creating a more favorable legal, policy and business environment for good-faith security research and vulnerability disclosure.

The first initiative, the Hacking Policy Council, is a new group that aims to make technology safer and more transparent by facilitating best practices for vulnerability disclosure and management. The council will also advocate for legal and policy reforms to empower good-faith security research, penetration testing and independent repair for security.

The Center for Cybersecurity Policy and Law argues that outdated laws are creating restrictions and liability for security practices. And it says emerging legal requirements on vulnerability disclosed and management are not always clear or in the best interests of security.

Key goals of the Hacking Policy Council include creating a more favorable legal environment for vulnerability disclosure and management, collaboration between security, business and policymaking communities, preventing new legal restrictions on security research and related fields, and strengthing organization resilience through effective adoption of vulnerability disclosure policies and security researcher engagement.

The council’s founding members include Bugcrowd Inc., Google LLC, HackerOne Inc., Intel Corp., Intigriti NV and Luta Security Inc. “This is an all-star team of substantive experts with global reach and deep ties to the security and policymaking communities,” Ari Schwartz, coordinator of the Center For Cybersecurity Policy And Law, said in a statement.

The second initiative, the Security Research Legal Defense Fund, has been established as a standalone 501(c)(3) nonprofit organization. It will help fund legal representation for people who face legal problems from good-faith security research and vulnerability disclosure in cases that would advance cybersecurity for the public interest.

The formal announcement came alongside the release of a white paper from Google that proposes initiatives to improve the vulnerability management ecosystem. Along with being a founding member of the Hacking Policy Group, Google also provided seed funding to the Security Research Legal Defense Fund.

Dave Gerry, chief executive officer of crowdsourced cybersecurity company Bugcrowd, told SiliconANGLE that his company wants to see a business and regulatory environment that helps protect consumers, security researchers and enterprises, and increases the likelihood of vulnerabilities being identified and remediated before malicious actors have the opportunity to exploit them.

“We believe that promoting best practices in these areas will help protect consumers, enterprises and society by increasing the likelihood that vulnerabilities will be mitigated before malicious actors exploit them,” he said. “By leveraging the collective creativity of the hacker community, organizations can bridge the gap between the need for better security practices and their lack of in-house talent.”

Gerry added that unaddressed vulnerabilities put both organizations’ and its users’ security at risk. “It’s my hope that this council can help bring clarity on vulnerability disclosure to set security standards that currently encourage beneficial cybersecurity activities,” he said.

Image: Ecole polytechnique/Wikimedia Commons