Wassenaar rules require export licenses for anything that could be considered “intrusion software”—but not in US, yet.
If your work involves exploiting vulnerabilities in software, congratulations—you’re potentially an arms merchant in the eyes of many governments. Your knowledge about how to hack could be classified as a munition.
A United States delegation yesterday failed to convince all of the members of the Wassenaar Arrangement—a 41-country compact that sets guidelines for restricting exports of conventional weapons and “dual use goods”—to modify rules that would place export restrictions on technologies and data related to computer system exploits. And while the US government has so far declined to implement rules based on the existing convention, other countries may soon require export licenses from anyone who shares exploit data across borders—even in the form of security training.
The changes governing “intrusion software” were adopted by the Wassenaar plenary in 2013, and they were set to be implemented by member countries last year. Those changes were intended to prevent repressive regimes from gaining access to commercial malware—such as the code sold by the Italy-based Hacking Team to Sudan and the surveillance tools from Blue Coat that were resold to Syria’s Assad regime and used to catch dissident bloggers.
Read more: ARSTechnica