Tuesday, 12 October 2021 10:53

iTWireTV Interview: CyAN VP Peter Coroneos explains why laws are needed to protect ethical zero-day cyber research


The formation of a global partnership to ensure legal protections for good faith (bona fide) zero day researchers has been enacted by the Paris-based not-for-profit Cybersecurity Advisor Network (CyAN), with such research illegal in some jurisdictions, putting modern life at serious risk. We speak to Peter Coroneos, CyAN VP, to find out more.

As CyAN International Vice President and Zero Day Legislative Project leader, Peter Coroneos explained: "Zero day vulnerabilities are flaws in software or systems code that leaves end users open to attack.

"They are called 'zero day' because they are either unknown to the vendor who produced the product, or are known but no patch has yet been made available.

"The period between when the zero day is first discovered by an attacker and when the patch is installed by the end user is the attack window in which a compromise can occur. The consequences can be vast and most serious attacks these days involve zero day exploits."

Coroneos continued: "The first famous zero day attack was Stuxnet in 2009 against the Iranian uranium enrichment program. More recent attacks include WannaCry, NotPeyta, SolarWinds, MS Exchange Server hacks of 2021 and the infamous Colonial Pipeline ransomware attack."

In the video, embedded below, Peter Coroneos opens with why the issue has come up again and the passion with which CyAN and its partners are pursuing international legal reform. The article continues thereafter, so please watch and read on!

So, why is the Zero Day Legislative Project needed?

Coroneos continued: “At a time of unprecedented scale and seriousness of cyber attacks threatening our personal information, the continuity of our businesses and the systems and infrastructure that support our societies, we find the very people we rely on to protect us remain under threat.

"'White hat’ zero day researchers form a critical piece in the remediation of exploitable connected systems. They uncover the existence of unpatched vulnerabilities and report them to vendors of the relevant products they can be fixed. Regrettably, they face legal threats from some vendors sensitive to the discovery of flaws in their products.

“The threats usually involve copyright and/or criminal laws that govern access or interference with computer systems. Outdated laws have not kept up with cyber challenges, stifling research efforts and reporting at a time when researchers should be supported.

“That is why we are building an international coalition to advocate for changes to laws to ensure that zero day researchers will no longer fear heavy handed legal responses from companies whose products they are seeking to secure," added Coroneos.

CyAN notes the OECD's recognition (PDF link) of "the need for action" in its 2021 guidance for policy makers observing:

"In many countries, researchers face significant legal risk when reporting vulnerabilities to vulnerability owners. Vulnerability owners can threaten researchers with legal proceedings
instead of welcoming their vulnerability reports. This legal risk, aggravated when stakeholders are located across borders, creates powerful disincentives [for responsible

A number of high profile cyber leaders have expressed support for the initiative:

“Security researchers are the public safety whistleblowers for technology that the world increasingly depends upon. It’s high time the world’s laws provided these good faith hackers safer ways to perform their vital research essential to securing the modern world,” said Katie Moussouris, Founder & CEO Luta Security; Founder, Microsoft Vulnerability Research (MSVR); Co-author & co-editor of International standards ISO 29147

Vulnerability disclosure and ISO 30111 Vulnerability handling processes: “Ethical cybersecurity research which help us clean up the digital environment deserves and needs proper legal protection” according to Ciaran Martin, CB former CEO, National Cyber Security Centre UK.

Chris Painter, former top US cyber diplomat added: “It’s important to separate malicious actors from responsible, ethical, researchers who conduct their research within settled best practices. Supporting the latter, while condemning the former, is a worthy cause.”

“If good-faith security research is the Internet's Immune System, then modernising legislation to recognise hacking as a dual-use and morally agnostic activity, as well as creating carve-outs for today's Internet's ‘digital locksmiths’, is the equivalent of resolving the Internet's auto-immune problem.” Casey Ellis, Founder/Chairman/CTO of Bugcrowd
and Co-Founder of The disclose.io Project.

Stéphane Duguin, CEO on behalf of The CyberPeace Institute, agreed saying “Because of complexity and distributed nature of vulnerabilities, we need to empower and not penalise those who are working in good faith in the interest of public safety. Secure ICTs are key to creating a safe and stable cyberspace where we can unlock the potential of technology and empower individuals. Cybersecurity researchers are key to this mission.”

Also supporting the program is: Vice-amiral d’escadre (Ret) Arnaud Coustilliere, former FR COMCYBER.

Read 1219 times

Please join our community here and become a VIP.

Subscribe to ITWIRE UPDATE Newsletter here
JOIN our iTWireTV our YouTube Community here


The past year has seen a meteoric rise in ransomware incidents worldwide.

Over the past 12 months, SonicWall Capture Labs threat researchers have diligently tracked the meteoric rise in cyberattacks, as well as trends and activity across all threat vectors, including:

Encrypted threats
IoT malware
Zero-day attacks and more

These exclusive findings are now available via the 2022 SonicWall Cyber Threat Report, which ensures SMBs, government agencies, enterprises and other organizations have the actionable threat intelligence needed to combat the rising tide of cybercrime.

Click the button below to get the report.



It's all about Webinars.

Marketing budgets are now focused on Webinars combined with Lead Generation.

If you wish to promote a Webinar we recommend at least a 3 to 4 week campaign prior to your event.

The iTWire campaign will include extensive adverts on our News Site itwire.com and prominent Newsletter promotion https://itwire.com/itwire-update.html and Promotional News & Editorial. Plus a video interview of the key speaker on iTWire TV https://www.youtube.com/c/iTWireTV/videos which will be used in Promotional Posts on the iTWire Home Page.

Now we are coming out of Lockdown iTWire will be focussed to assisting with your webinars and campaigns and assistance via part payments and extended terms, a Webinar Business Booster Pack and other supportive programs. We can also create your adverts and written content plus coordinate your video interview.

We look forward to discussing your campaign goals with you. Please click the button below.


Alex Zaharov-Reutt

Alex Zaharov-Reutt is iTWire's Technology Editor is one of Australia’s best-known technology journalists and consumer tech experts, Alex has appeared in his capacity as technology expert on all of Australia’s free-to-air and pay TV networks on all the major news and current affairs programs, on commercial and public radio, and technology, lifestyle and reality TV shows. Visit Alex at Twitter here.

Share News tips for the iTWire Journalists? Your tip will be anonymous




Guest Opinion

Guest Interviews

Guest Reviews

Guest Research

Guest Research & Case Studies

Channel News