Wassenaar Arrangement Issues

Having just returned from DefCon23, one piece of news was particularly concerning and prompted this post. News of the Wassenaar Arrangement, also known as WA or Export Controls for Conventional Arms and Dual-Use Goods and Technologies, which was formed in 1996 by 41 different countries, is currently threatening to put the field of vulnerability research back 10 or more years of progress. Within that larger agreement, the implementation in the United States is now being discussed. Some interpretations of the Wassenaar Arrangement state it will prevent legitimate business and researchers from participating in bug bounty and responsible disclosure that rewards the bug hunter while at the same time kills the bug. Further, it will impact international cooperation on exploit research and counter-intelligence, making it hard for global teams to operate. The Wassenaar Arrangement makes the sale of private 'intrusion software' a.k.a. dual-use security tools illegal, in fear that companies like Hacking Team will sell exploits and post-exploitation kits that will be used to suppress certain groups of people. The problem is that the law is missing the good value in these dual-use tools, potentially damaging the industry.  Further, as many other researches have pointed out, the bad guys are rarely stopped by such controls, and so long as illicit and open source exploit kits remain at large then these controls will only harm the ability for legitimate organizations to research and prepare in this area. That's why several prominent organizations have spoken out, including Google, The EFF, and @ErrataRob. I hope this post can raise awareness of the issue while also reminding us why we've fought so hard for these dual-use tools, they help us understand and realistically prevent the issues instead of inadequate attempts to legislate the threats away.