 Welcome everyone, we're ready to start with the next session We will have Chloe presenting on the internet's autoimmune system So Chloe amongst other things which she will discuss a bit further during a presentation is security researcher advocate at Buck crown So please join me in welcoming Chloe everyone Let me just say this Mata or is delicious All right, let's get started So we're gonna just kind of dive into the current landscape of Canadian laws, that's right I studied Canadian laws for 48 hours So now I think I know it more than the US laws when it comes to the hacking community Then we're going to dive into what's needed a little bit about safe harbor and disclose I owe and all hands in and I do have these beautiful stickers if you want some afterwards All right, just want to say once again, this is not legal advice. I am not a lawyer not in the US not in Canada I did try to go to law school I want to be that human rights attorney and then I realized that might be tricky. So I didn't go So a little bit about myself. I'm a security researcher advocate at bug crowd. Who has heard of bug crowd raise your hand Excellent, lovely. How many of you guys do bug bounty as a program manager raise your hand? Cool. Okay, how many of you guys are hackers and have done bug bounty raise your hand? This is nice. All right, great. I also had women in security woesack Also the chapter head of San Francisco Bay area and yes, we have chapters all the world So ladies if you want to create a woman in security talk to me afterwards I'll help you out when I'm not doing work. I do mentoring for infosec for keeping women in the field In every possible way. I do do speaking on diversity and inclusion bug bounty and safe harbor Which you'll see today. I am a board member for nonprofits I also founded a nonprofit called drop labels and last but not least I just released women who hack a very slack Workplace so any ladies that are hackers. Let me know you'll be invited All right, let's dive into this So this is gonna be scary. I know but I promise I'll try to make it as nice as possible Who here has heard of Kelly Dunham anyone this case? All right, so Kelly Dunham basically came across 285 personal accounts and This is family services. So that means kids information parents information where they live and whatnot She decided to go and contact family services about it And they never responded never got back to her and one and a half months later Because she was just like my personal info is out there my kids personal info is out there This something needs to be done. So she posted on a private Facebook group with the hyperlink of the PDF and Right away, of course someone contacted family services about it and now they're facing a giant case Like lawsuit, but the other thing you should note is that whenever you go against a big organization Guess what happens? They come after you too. So now she is facing criminal charges and right now It's an unknown decision at this time So Right now there is I want to focus on copyright act in the criminal code once again I'm not attorney. So don't take this advice all the way, but just giving you some information So copyright act is broken down into two parts Consent you got consent from the owner itself That you are okay to do hacking on a certain thing. So something that's in scope Also, if you want to disclose something you have to give a reasonable notification Now that sounds really easy right and simple However, sometimes it could be a very different situation because sometimes you need to find not just a copyright holder But maybe it's actually the network operator. For example, if you are pentesting on site a Guess what? Maybe Microsoft server has the issue. So you can't just disclose only To someone at support for website a you actually have to also talk to the Microsoft server Contact because that is the copyright owner. So trying to figure out who to contact is ambiguous first of all the other thing is you could definitely run into an issue a legal situation and last but not least Reasonable notification in Canada is very interesting. There's no actual timeline So say if you do contact them and they don't respond right away It doesn't necessarily mean you gave reasonable notification So reasonable notification is something very ambiguous once again but also there's a little cause in there and what it says is that directly that if It isn't the public interest good for you to disclose publicly before going to them that is acceptable Now the thing is, how do you figure out which one is correct and which one is not? So now This is important. So what the two takeaways of the Copyright Act? I want you to know is it's very ambiguous It's very broad and it definitely can lead security researchers in good faith to end into a lawsuit But most importantly the public disclosure versus notifying the time frame. That's also up in the air regardless It is a catch-22 situation in many ways Criminal code so criminal code is one you decide to do some ethical hacking and maybe you stumbled upon a vulnerability That was out of scope it happens, right and during this time You could be prosecuted believe it or not Because you want out of scope even though you stumbled upon it. This is another issue So always asking for permission ahead of time is a given but sometimes you run into situations where you didn't know to do that And you don't know who to contact which it could be a very troubling situation Because even if you accidentally find or someone to personal data Then what happens is that it can lead you into a possible prosecution situation But don't worry you're not the only ones that are freaking out as hackers believe it or not program managers are scared To when they do bug bounty because they're opening basically the space to be like hack on us But please respect our in scope versus out scope and what happens is that they do need you Believe it or not There are so many situations where we need as hackers itself to be that everyday hero We find vulnerabilities we want to keep our neighbors safe So how do we do this in a way, but also how do we get the program managers to? Commit with us as well because they're scared at night to believe it or not So I know that was a little scary So here's some puppies and I did put one cat in there for any cat lovers. I have a dog So I'm a dog lover, so I did try to be inclusive here anyway So what do we need right now? Perhaps better sleep right or better communication Standardized language maybe another Red Bull. I highly suggest doing sugar-free, so you don't get that sugar crash But what really do we need we need standardized easy readable safe harbor language, so then we can keep this bilateral Mechanism to try to keep each other safe, especially our loved ones when it comes to our personal info Also, how do we reduce the ambiguity because it's not just in Canada that has this issue US has it too So how do we go about this and increase visibility for security research programs to include explicit safe harbor status? I give you disclose IO who here has heard disclose IO raise your hand Wow, okay. This is great. Guess we're gonna get some info about disclose IO So disclose IO is basically broken into two parts so one is the Standardized vulnerability disclosure language that companies can adopt and put it onto their website and Then there's another part which is the list which is the hackers list in my opinion So what I want to do is when I want to see whether or not if I want to do a vulnerability Submission or whatnot. I'll look on this list and I'd be like, okay What companies are practicing safe harbor because I'm gonna feel a little bit safer if I'm disclosing a vulnerability This list is amazing for that and I'll show you reasons why it's even better than what I just shared with you So disclose IO what it is is a framework for both companies and researchers to participate equally together To try to keep it safe environment while keeping the entire world safe And the framework is designed to balance So the most important thing is the readability a lot of times We have researchers that are all over the world and maybe English is not their first language So sometimes they'll be looking at the legal terms when there's maybe in a bug and what happens is that they didn't read what was in scope or out of scope or how many of you guys have an Apple product and it's like terms and conditions. How many guys actually read that entire thing every time? Exactly. So not only are English second language speakers having issues figuring out what does this jargon mean? But also ourselves. We don't want to go over this terms and conditions sometimes So it's very very important that we keep everyone In a way that everyone understands and appreciates the language and also can practice safe harbor safely And this also disclose IO works with attorneys around the world Safe harbor for researchers or researchers participate and also for program owners So the requirements to participate if you are a program manager Most importantly, you got to say what is the scope? What is the scope and be very explicit in the scope because you don't want people to do out of scope So being more explicit is gonna be very important next is rewards You know let us know. Do you want will you give us swag? Will you pay us? These are things that a lot of security researchers want to know Also official communication channels, I don't know about you guys But sometimes it takes hours to find a contact email and sometimes it could take days And at that point sometimes our vulnerability gets exploited and that's a situation So having a very official communication channel is gonna be very important and last but at least participating in the disclosure policy I Could just read this list, but I feel like you guys could read it yourself But basically there are three different types of disclosures that we do work with and you would have to also note that So once again the language itself believe or not It's already part of disclose IO so you could actually copy and paste if you want to practice safe harbor Now there are expectations so If you are a program manager You need to extend safe harbor for your vulnerability research that is related to this policy That means you will participate in safe harbor The next thing is you will work in a timely manner That means sometimes people will be like I found this submission and you don't respond like three months later That's not that's not gonna work So you have to be timely and effective too and having that good communication is how you practice bilateral safe harbor too Make sure to remediate discover vulnerabilities in a timely manner. Just again time is Adolescence and making sure that is working. You've got to be able to have that good communication between the researcher and yourself So ground rules now hackers in this room if you do participate on a safe harbor a Company just note that you need to report any vulnerability you discover promptly also avoid violating any privacy of others And I think if I just keep going I could say that but the most important thing is please do not engage in extortion I've seen this happen too many times and sometimes they don't mean to do extortion They just are like why won't you contact me if you don't I will post this I will let Krebs know like that's not gonna do Very much well for you in the end so safe harbor language in the US so Disclose IO is a US based However at this time we are working with some Canadian attorneys as well So then Canadian companies can actually participate as well with Disclose IO So once that is posted that's gonna be really cool But other than that Disclose IO was literally created because of the safe the lack of having safe harbor in the US And being able to figure out the laws around it So it's it's one of those things that it's gonna take some time for Canada But probably in the next few months. We will have it rolling out so Now the big question is how can you participate? So I mentioned if you are someone in the legal field any attorneys in this room Sort of I love that. So if you know any attorneys that would probably want to participate That'd be wonderful because this is a grassroots movement. It is a community run Movement that means it is the program managers. They're like I want to support safe harbor It is the researchers who are like I want to practice safe harbor and here I'm gonna give you the following companies that are practicing it. So everything has been created from the hacker community And also any attorneys there's one possible one. We're also looking for attorneys that always help out So once again, there's two parts So there's a safe harbor language that will have for Canada very soon But this is an idea that you get in the US So basically if you want to practice you contact us and then from there we help you get everything going and started and running beautifully and Then we have the second part which is the list is a directory for hackers So once again, you see there there's this beautiful thing of like who to contact which is fantastic but it also tells you about swag money and what not to expect also the policy URL of This is what safe harbor is. This is what's in scope. This is what's out of scope and Last but not least the really important thing about all this is that it has been formed and created by the hacker community So program managers you can participate to but hackers have also been be like this company practices safe harbor This one does partial and this one. It's uncertain So this is really good for hackers to know ahead of time like what you should expect when talking to these people and the list is always posted I want to make this short for a reason and the reason for that is because in case people have a lot of questions but also because I have disclose IO stickers and I've also been trained to also give this talk in five minutes now. So Any questions about disclose IO or safe harbor or Canadian laws that I may