Her views were echoed by Dray Agha, senior manager of security operations at Huntress. “Organizations can support the process by rewarding responsible disclosure, avoiding knee-jerk legal threats, participating in community initiatives, and advocating for reforms that strike the right balance between preventing abuse and enabling legitimate research,” he said.
He added that the government should ensure that researchers are fully protected, calling for an independent oversight body to validate and support responsible research. “This could provide rapid advisory opinions, mediate disclosure disputes, and issue assurance letters so researchers are not left exposed when organizations are slow or uncooperative.”
And, he noted, companies are often slow to disclose security breaches, something which needs to change. “User organizations should be legally obliged to maintain a disclosure channel, acknowledge reports promptly, and work within a set remediation window. This lifts the burden from researchers and reduces the grey zone where they feel legally at risk,” he said.
