Ethical hacking, vulnerability disclosure, AI red teaming, and penetration testing improve security for consumers, enterprises, and society. However, outdated laws create restrictions and liability for these practices, and emerging legal requirements on vulnerability management are not always clear or in the best interests of security. There continues to be a lack of awareness and effective adoption of best practice, and policymakers have not implemented practical solutions to protect and encourage vulnerability disclosure and management. 

Key goals of the Hacking Policy Council

• Create a more favorable legal environment for vulnerability management and disclosure, bug bounties, AI red teaming, good faith security research, and pentesting; 
• Grow collaboration between the security, business, and policymaking communities;
• Prevent new legal restrictions on security research, pentesting, AI red teaming, or vulnerability disclosure and management; and
• Strengthen organizations’ resilience through effective adoption of vulnerability disclosure policies and security researcher engagement.

Our Work - 2024

• Resource on vulnerability management under the EU Cyber Resilience Act – Oct. 28, 2024
• Comments to the Pall Mall Process Consultation Tackling the Proliferation and Irresponsible Use of Commercial Cyber Intrusion Capabilities – Oct. 14, 2024
• Comments to Bureau of Industry and Security on Proposed Rule for Reporting Requirements for the Development of Advanced Artificial Intelligence Models – Oct. 10, 2024
• Comments to NIST on Managing Misuse Risk for Dual Use Foundation Models – Sept. 9, 2024
• Comments to UK AI Cybersecurity Code of Practice – Aug. 9, 2024
• Comments to UK Code of Practice for Software Vendors – Aug. 9, 2024
• Comments to CISA on Cyber Incident Reporting for Critical Infrastructure (CIRCIA) – Jul. 3, 2024
• Comments to Coast Guard on Cybersecurity in the Marine Transportation System – May 22, 2024‍
• Changes Needed for Vulnerability Infrastructure and the National Vulnerability Database – May 12, 2024‍
• Letter to ONCD on vulnerability disclosure in National Cybersecurity Strategy Implementation Plan - Apr. 15, 2024‍
• Reply comments for DMCA Section 1201 exemption for generative AI research – Mar. 19, 2024‍‍‍
• Comments to New York State Department of Health on Proposed Hospital Cybersecurity Requirements - Feb. 5, 2024‍‍
• Comments to NIST on AI Testing and Red Teaming - Feb. 2, 2024

Our Work - 2023

• Comments for DMCA Section 1201 exemption for generative AI research – Dec. 21, 2023‍
• AI red teaming – Recommendations for legal clarity and liability protections – Dec. 12, 2023‍
• Recommendations to encourage vulnerability disclosure under US National Cyber Strategy – Dec. 12, 2023‍
• DEF CON 31 workshop – Training security pros to send official feedback to policymakers – Aug. 11, 2023‍
• Hacking Policy Council Position Statement on State Charging Policies for Security Researchers – Aug. 8, 2023‍‍
• Comments to NIST on SP 800-171 – Jul. 12, 2023‍‍‍
• Hacking Policy Council Position Statement on Vulnerability Disclosure and Handling to Governments – Jun. 14, 2023‍‍
• Hacking Policy Council Joint Letter to OFAC re Vulnerability Guidance - May 17, 2023‍
• Hacking Policy Council launch press release – Apr. 13, 2023‍
• Recommendations for vulnerability disclosure requirements under Cyber Resilience Act – Mar. 31, 2023‍
• Joint comments to NIST on vulnerability disclosure and Cybersecurity Framework v2.0 concept paper – Mar. 17, 2023