Posted on by Vulnerability Analysisin
Art Manion and I recently submitted comments to the Department of Commerce Bureau of Industry and Security on their proposed rule regarding Wassenaar Arrangement 2013 Plenary Agreements Implementation: Intrusion and Surveillance Items. While our detailed comments are lengthy, we summarize our contributions here.
We're experienced in the security research field, but not in the export control field. We reviewed the proposed rule carefully, but we don't understand some important aspects of it. We recommend creating a second draft and establishing a corresponding comment period.
We are concerned about the likely chilling effects on vulnerability discovery and disclosure. Such effects could impair vulnerability remediation and management.
Difficulty and ambiguity in defining what software (technology) is meant to be covered by the proposed rule is likely to have the unintended consequence of chilling beneficial public security research. To ease this risk, we recommend the following:
Our detailed comments are also available.