New report on coordinated vulnerability disclosure in Canada

Hey folks!

About me: My name is Yuan (you-anne) Stevens and I’m a law & policy research based in Canada with experience working with Data & Society Research Institute in NYC on bug bounty programs (alongside Ryan Ellis of Northeastern — watch for our report coming out this fall) and have previously worked with with Gabriella Coleman, hacker expert & anthropologist at McGill University.

Why I’m writing: I’ve been a huge fan of the community for a while now and am thrilled to share with y’all a report I co-authored, that looks at the state of coordinated vulnerability disclosure and anti-hacking laws in Canada:

The report is called See Something, Say Something: Coordinating the Disclosure of Vulnerabilities in Canada and the report was spearheaded by me and my team at the Ryerson Leadership Lab at Ryerson University, through a project called the Cybersecure Policy Exchange that’s co-led by another group (Rogers Cybersecure Catalyst) at the university as well.

In our report, we looked at how the Government of Canada handles vulnerability disclosure, comparing the country’s policies with members of the G20. We found that many (60!) G20 members have distinct and clear policies for facilitating vulnerability disclosure — but Canada does not. And Canada is also falling behind approaches in the US, and that are emerging in the UK, which generally promise to keep vulnerabilities disclosed through their VDP separate from their “equities management” process.

On top of current anti-hacking laws, the result could definitely discourage a good faith hacker from disclosing vulnerabilities to the government.

I’d love to receive any constructive / helpful comments or feedback from folks in this community on our report — please don’t hesitate to reach out here or at [email protected] if you want to chat more! Grateful for folks’ time & eyes here.