Without much fanfare, negotiators crafting the Wassenaar Agreement earlier this month moved to make things easier for infosec white-hats.
As we reported last year, the Wassenaar talks have been proceeding at a glacial pace, which was bad news for the IT sector because of the treatment of tools used to find vulnerabilities and create exploits.
Tools like Metasploit (to pick just one example) would, if that interpretation stood, need to be supported by an export licence between signatories – a tedious process that leaves researchers at the mercy of bureaucratic whim.
Earlier this month, as recorded in this document [PDF], a few minor changes in wording were made that changes the picture.
At the December meeting, the parties agreed to add technical notes “for the local definitions [of] ̵6;vulnerability’, ̵6;disclosure’ and ̵6;cyber incident response’”, and adopt a revised statement of understanding for the section (4.E.1 of the dual use technologies list).
The most current version [PDF] of the controlled products list now explains that the two worrying items (4.E.1.a and 4.E.1.c) “do not apply to ‘vulnerability disclosure’ or ‘cyber incident response’”.
The list also defines vulnerability disclosure so as to allow individuals and organisations “responsible for conducting or coordinating remediation” to communicate and analyse vulnerabilities.
‘Cyber incident response’ also gets a definition, so individuals and organisations can exchange information to help them resolve incidents.
So what? According to this commentary published at The Hill, by Luta Security’s Katie Moussouris (a participant in the talks as a vulnerability expert), it’s important, because “the specific cross-border sharing activities around vulnerability disclosure and security incident response are exempt from requiring export control licenses as dictated by Wassenaar.”
According to the December plenary statement of outcomes [PDF], controls over computers were also relaxed, partly because performance-based export controls quickly fall behind the development of newer, bigger, and faster machines. ®