HP on Legal Hacking and the Law


Jewel Timpe has a cool job. As the senior manager of Threat Research at HP Security, she engages with security researchers and pays for discoveries that could be exploited by hackers. Buying vulnerabilities is part of HP's Zero Day Initiative (ZDI).

Speaking at last week's Black Hat USA conference, Timpe detailed her views on best practices and how security research intersects with the law. In an interview with eSecurityPlanet, she explained that the term "hacking" is overexposed in the media and isn't necessarily a bad thing.

Security researchers need to be aware of multiple laws, including the Computer Fraud and Abuse Act (CFAA), Timpe said. The CFAA is a somewhat ambiguous piece of legislation that could potentially be used against legitimate researchers as well as malicious threat actors.

When engaging with researchers and acquiring vulnerabilities, HP employs a comprehensive and vetted process to keep things within the bounds of the law. A researcher must sign a contract, in which they agree to behave in certain ways, to be part of the ZDI program. The contract includes disclosure and research practices.

"Researchers submit a case through a Web portal and then we review it," she said.

Validating Identity

HP is quite careful with validation and authenticity, Timpe said. While HP will credit researchers anonymously for their efforts, behind the scenes HP must know their real identities. All researchers are vetted and known to HP.

"We know who we're dealing with," Timpe said. "Generally speaking we haven't had problems with our researchers."

Timpe stressed that no one organization can do security on its own and it really takes a community of security researchers as well as vendors.

"There are those out there that are intentionally trying to do harm with technology, and then there are the rest of us that need to stick together," she said. "Global governments need to engage with the security research community to learn how to make global agreements to help improve security efforts."

Many in the security research community are cynical and wary, Timpe said, but at some point they must engage with policy makers to ensure that overall security moves forward. Governments want to protect themselves and their citizens from security breaches, which can potentially lead to restrictive laws, she added.

"For ZDI and what we're trying to do, we're OK and we're able to operate and function under the laws that are currently in place and we want to keep it that way," Timpe said.

Sean Michael Kerner is a senior editor at eSecurityPlanet and InternetNews.com. Follow him on Twitter @TechJournalist.