Comment by n_u
6 days ago
> The security research community has been dealing with this pattern for decades: find a vulnerability, report it responsibly, get threatened with legal action. It's so common it has a name - the chilling effect.
Governments and companies talk a big game about how important cybersecurity is. I'd like to see some legislation to prevent companies and governments [1] behaving with unwarranted hostility to security researchers who are helping them.
I'm not a lawyer, but I believe the EU's Cyber Resilience Act combined with the NIS2 Directive do task governments with setting up bodies to collaborate with security researchers and help deal with reports.
The law seems written to target vendors and products rather than services though, reading through this: https://www.acigjournal.com/Vulnerability-Coordination-under...