Google criticises US rules on finding software bugs

  • Published
Heartbleed logoImage source, Heartbleed.com
Image caption,
Fixing widespread bugs such as Heartbleed would be far harder under the US proposals, said Google

A US plan to require a licence to export "intrusion software" would make the web more dangerous, Google says.

The 41 nations in the Wassenaar arms-control arrangement want it updated to stop oppressive regimes acquiring net-based surveillance systems.

But Google says their definition of "intrusion software" is "dangerously broad and vague" including information about bugs and vulnerabilities.

The US says the plan balances computer security and foreign policy goals.

Google, like many other companies, uncovers thousands of vulnerabilities, such as Heartbleed and Poodle, every year, and seeking a licence to publish information about each one would slow the process.

Google lawyer Neil Martin said the change would "hamper our ability to defend ourselves, our users, and make the web safer".

"It would be a disastrous outcome if an export regulation intended to make people more secure resulted in billions of users across the globe becoming persistently less secure."

Google said it would ask the US Department of Commerce to put in place exemptions for vulnerability research and to allow companies that operated internationally to easily share information internally.