Publishing Exploit Code Ruled Illegal In France

Dexter writes "A French Court has condemned the security researcher Guillame Tena for publishing a security vulnerability in the Viguard anti-virus software of Tegam. This ruling makes the publication of security vulnerabilities and their proof of concept through reverse engneering illegal in France."

French Court: "Surrender Now"

[fembots]

What good is it to publish software vulnerability, especially on closed source products?

If one really wants to help, isn't it better to inform the software maker? If the latter couldn't care less, maybe one shouldn't care more?

However, as the friendly article pointed out, the fine was for a copyright infringement charge, so it looks like you can still publish a vulnerability as long as it is subtle enough.

Re:French Court: "Surrender Now"

[John+Fulmer]

The 'good' is that it keeps closed source vendors honest.

The 'full disclosure' idea came about because of the frustration of sysadmins finding security holes, and not being able to get the vendor to take it seriously.

Good 'full disclosure' first notifies the vendor, and then if within a reasonable time the vendor takes no action or there is no response you disclose to something like BugTraq.

It's been the reason that Microsoft and other vendors take such bugs VERY seriously. But they would be more than happy if it all just went away, or was criminialized.

You decide which is more valuable: A company keeping their PR image spotless, or getting serious software bugs fixed.

Re:French Court: "Surrender Now"

[nurd68]

Actually, if memory serves, MS *does* control these situations. If you are a Microsoft Partner (I don't know at which level this restriction starts, but I think it's just about any partner), then you are required to disclose the vulnerability to Microsoft, and cannot disclose it publically until Microsoft allows you to. Failure to adhere to this results in a loss of your favored status.