Reporting Vulnerabilities Is For The Brave
An anonymous reader writes "A recent post on the CERIAS weblogs examines the risks associated with reporting vulnerabilities. In the end, he advises that the risks (in one situation, at least) were almost not worth the trouble, and gives advice on how to stay out of trouble. Is it worth it to report vulnerabilities despite the risks, or is the chilling effect demonstrated here too much?"
That sounds like a good idea... until you figure that even then, someone will hire an attorney, sue, and get the records anyway. Look at the state of California, for example. They have a law that requires businesses to notify all clientele when any sensitive client data is compromised. Just that instance alone means that the state of California is going to come after the disclosing agency. Do you want to be the guy holding that info when the People's Republic of California comes knocking? I don't. Too many bleeding heart, anti-corporate liberals in California that think they can legislate the world into submission. Notifying ANYONE of a problem with security, you'd better live overseas, or you'd best have a lot of spare money, time, and lawyers.
It's not worth it.