As a passionate advocate for hackers operating in good faith, I’ve always believed in the power of collaboration to drive meaningful change in cybersecurity. Over the past year, the Hacking Policy Council (HPC)—of which Bugcrowd is a founding member—has been incredibly productive and made huge strides in advocating for policies that not only strengthen our collective defenses, but also empower ethical hackers to play a central role in securing the digital landscape.

This post highlights the achievements of the HPC’s work in 2024, the Council’s core areas of focus, and our vision for an even more impactful 2025.

 

2024: A year of outcomes and progress

In 2024, the HPC tackled some of the most pressing cybersecurity challenges, focusing on four core priorities:

  1. Promoting the adoption of vulnerability disclosure policies (VDPs) and bug bounty programs (BBPs)
  2. Addressing offensive security practices and commercial surveillance
  3. Enhancing AI testing and security protocols
  4. Engaging state attorneys general (AGs) on charging policies for good-faith security researchers.

By working to address these priority areas, we sought to align policy, technology, and innovation to create a safer, more resilient cybersecurity ecosystem. Let’s expand on some of these focus areas. 

 

Promoting VDPs and BBPs

One of the HPC’s key achievements this year was driving the adoption of VDPs and BBPs across critical sectors. These programs often leverage the expertise of ethical hackers to enable organizations to proactively identify and remediate vulnerabilities. 

For example, the HPC provided guidance to the UK’s Department for Science, Innovation & Technology (DSIT) on their Code of Practice for Software Vendors. Our recommendations emphasized:

  • Harmonizing international security frameworks to reduce compliance burdens
  • Strengthening safe harbor protections for good-faith researchers
  • Encouraging proactive vulnerability management practices like penetration testing and BBPs.

Similarly, the HPC’s feedback to the Cybersecurity and Infrastructure Security Agency (CISA) under the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) informed reporting processes, protecting ethical researchers while enhancing the nation’s overall cyber resilience. Clear and well-defined reporting processes reduce potential chilling-effects among researchers, and foster a culture of openness and collaboration.

 

Enhancing AI testing and security protocols

AI continues to reshape cybersecurity, presenting both opportunities and challenges. In 2024, the HPC focused heavily on advancing AI security protocols.

For instance, our feedback to the National Institute of Standards and Technology (NIST) on managing misuse risks for dual-use AI models played a pivotal role in shaping policies. Key recommendations included the following:

  • Expanding red teaming practices to cover a broader range of risks
  • Encouraging robust vulnerability disclosure processes for AI systems
  • Protecting researchers conducting AI trustworthiness assessments.

Additionally, the HPC championed exemptions under the Digital Millennium Copyright Act (DMCA) for good-faith AI research. By securing these exemptions, we’ve empowered researchers to test AI systems for vulnerabilities without fear of violating legal protections—a win for innovation and security.

 

Engaging state AGs on charging policies for good-faith researchers

One of the most personal and impactful initiatives this year was the HPC’s collaboration with the National Association of Attorneys General (NAAG). We cohosted a webinar to educate state AGs on the importance of distinguishing between malicious hacking and good-faith security research.

This dialogue encouraged states to align with federal policies, such as the Department of Justice’s guidelines under the Computer Fraud and Abuse Act (CFAA), which clarify that ethical hacking practices should not be prosecuted as cybercrime. By reinforcing the concept of good-faith security research to this audience, we’re fostering a positive operating environment for hackers where innovation and security can work hand in hand.

 

The focus of the Hacking Policy Council

At its core, the HPC is about creating alignment between policymakers, researchers, and organizations. Our mission is to:

  • Advocate for policies that encourage responsible security practices. We aim to make ethical hacking a normalized part of cybersecurity strategies, whether it be through VDPs, BBPs, pentesting, or AI safety and security research.
  • Protect good-faith researchers. By shaping laws and guidelines, we ensure that those working to improve security are not penalized for their efforts.
  • Drive global harmonization. Cyber threats know no borders. The HPC works to align international policies and standards, reducing fragmentation and fostering global collaboration.
  • Innovate in AI and offensive security. As technology evolves, so must our approach to securing it. The HPC is at the forefront of promoting innovation in AI security and tackling the ethical dilemmas posed by offensive security practices.

 

Looking ahead: 2025 and beyond

As we move into 2025, the stakes for cybersecurity have never been higher. The HPC’s vision for the future includes building on the successes of 2024 while addressing emerging challenges. Below are some of our goals for the upcoming year.

 

Expanding VDPs and BBPs across sectors

VDPs and BBPs are proven mechanisms for enhancing security, but their adoption is still uneven across industries. In 2025, we’ll focus on engaging more sectors, from healthcare to education, to integrate these programs into their cybersecurity frameworks. This includes advocacy for clear safe harbor protections and incentives to encourage participation.

 

Deepening AI security protocols

The rapid evolution of AI demands constant vigilance. The HPC will continue to work with stakeholders like NIST, CISA, and international bodies to establish standardized protocols for AI testing, red-teaming, and vulnerability disclosure. Our goal is to create a comprehensive framework that balances innovation and safety.

 

Strengthening international collaboration

Global cyber threats require global solutions. The HPC will expand its role in international initiatives like the Pall Mall Process, United Nations working groups, and cross-border dialogues. By fostering collaboration between nations, we can create a unified front against cybercrime and the misuse of offensive capabilities.

 

Promoting legal protections for ethical hackers

One of the most pressing issues remains the legal ambiguity surrounding ethical hacking. In 2025, the HPC will intensify its efforts to work with lawmakers, AGs, and industry leaders to establish clear, consistent protections for researchers.

 

Encouraging accountability in offensive security

As commercial spyware and offensive tools continue to proliferate, the HPC will advocate for stricter accountability measures. This includes urging governments to adopt procurement bans on irresponsible technologies and promoting alternatives like VDPs and BBPs as effective countermeasures.

 

A call to actionThe shared responsibility for cybersecurity

2025 promises to be a pivotal year for cybersecurity. At the HPC, we’re committed to not just reacting to challenges but proactively shaping the future. To our members, collaborators, and allies: thank you for your dedication, insights, and passion. Together, we’ve laid a strong foundation, but there’s much more to do.

Cybersecurity is a shared responsibility. Whether you’re a policymaker, an ethical hacker, or an industry leader, your role is critical in building a safer digital world. Let’s continue to work together to make ethical hacking the norm, strengthen global defenses, and drive innovation in a way that benefits everyone.

Here’s to a successful 2025 and beyond!

Tags: