Skip to main content

The US is rewriting its controversial zero-day export policy

The US is rewriting its controversial zero-day export policy


Experts say the rules would weaken defensive security tools

Share this story

For two months, security researchers have been fighting a controversial export policy known as the Wassenaar Arrangement — and now it looks like they may have won a crucial battle in that fight. In a closed-door meeting this morning, a Commerce Department representative said the agency's Wassenaar-inspired export controls were currently being rewritten after the comment period ended last week. The new version will be "quite different," according to a Commerce official quoted by PoliticoPro, and will be followed by a second round of public comments.

First laid out in May, the Department of Commerce's new export rules were controversial from the start, with many in the security community saying the rules would make it impossible to develop and deploy benign security tools. Companies also raised concerns that the rules would hamper international bug bounties, which are now a common security practice among software vendors. Commerce held a two-month comment period on the proposed rules, in which time Google, Facebook, and dozens of other companies filed comments critical of the regulations as written. Now that the comment period is closed, it appears Commerce took those criticisms to heart.

But while US regulators have hinted at significant revisions, it's unclear how they'll square the security world's objections with the country's larger international obligations. America signed on to the Wassenaar Arrangement in 2013, and while the exact regulations are open to interpretation, the arrangement obligates some form of new export control on intrusion software. As the latest struggle demonstrates, it will be very difficult to write those controls without causing problems for security researchers unless Wassenaar itself is revised at the annual meeting of the member states in December.