The social tide has been turning to become more inclusive for decades, but still we hold onto remnants of the past. Many of the terms used in the security technology ecosystem are inherently exclusive and support a culture that has historically created hurdles and limits for diverse people. With the unprecedented events of 2020, individuals and organizations are reevaluating their policies, practices, and language to remove antiquated and potentially hurtful terms.
It is imperative that members of the Bug Bounty community also evaluate their actions and language. We are a community, which means we work together with our neighbors and seek perspectives from all parties involved. Our work requires broad collaboration and unconditional inclusion, regardless of race, religion, age, sexual orientation, or political affiliation. Each security researcher brings their unique perspective, finding vulnerabilities that others may miss. Small changes, like revising our language, can only serve to grow our community by promoting collaboration and transparency.
Participants in the Bug Bounty Community of Interest (COI) are experts working across the technology industry where we’re seeing more and more organizations effect change. Many of the leading Fortune 500 tech companies are scrubbing their communications and platforms to replace terms that may be offensive, painful and/or perpetuate bias for underrepresented minorities. We implore all members of our community to join this effort and adopt inclusive language and concepts that make space for everyone to participate equally.
To improve security and innovate at the pace of hacking, we cannot afford to be exclusionary. Nor can we improve our communities without including all members of them.
We encourage everyone to start by actively transforming your language around common security topics. This is by no means an exhaustive list, but here are some examples:
- “White hat” and “Black hat” – associates white with good and black with bad, reinforcing a color divide and what is known as the “bad is black effect.”
- “Man in the Middle” or “Evil maid”- these gendered terms are not technically useful, are not standard, and are not as clear as an alternative such as “on-path interception” or “pass-by,” respectively. Therefore, they should be avoided.
- Militarized metaphors – there is a deep historical connection between technology and war. These types of metaphors do little to add value to clear communication and should therefore be avoided i.e. “Kill-Chain”, “War Driving”, “cyber-weapons” and “Brute-force Attacks.”
Other examples can be found from changes organizations like GitHub, Microsoft, LinkedIn, Android, OpenSSL, Twitter and others have been making, noted by ZDNet.
Being more cognizant and respectful of our community by thoughtful consideration in our use of terms and concepts will not, in one action, solve the larger situation of decades of systemic oppression. Adopting more inclusive language is one small step we can collectively take to making our community more respectful and considerate of differences. We need to be more cognizant and mindful of our community by using thoughtful terms and concepts. The Information Security community needs to adopt a more comprehensive viewpoint. Especially because technology is touching all members of society. We must consider all aspects of human dignity.
Additional References:
- https://thenewstack.io/words-matter-finally-tech-looks-at-removing-exclusionary-language/
- https://www.zdnet.com/article/infosec-community-disagrees-with-changing-black-hat-term-due-to-racial-stereotyping/
- https://www.duncannisbet.co.uk/removing-harmful-language-from-my-lexicon
- https://www.fedscoop.com/does-cybersecurity-need-a-new-language/
- https://www.zdnet.com/article/mysql-drops-master-slave-and-blacklist-whitelist-terminology/
- https://tools.ietf.org/html/draft-knodel-terminology-02