Slashdot Mirror

← Back to Stories (view on slashdot.org)

Is It Illegal To Disclose a Web Vulnerability?

Posted by kdawson on from the responsible-schresponsible dept.

Scott writes "I'm submitting my own story on an important topic: Is it illegal to discover a vulnerability on a Web site? No one knows yet, but Eric McCarty's pleading guilty to hacking USC's web site was 'terrible and detrimental,' according to tech lawyer Jennifer Granick. She believes the law needs at least to be clarified, and preferably changed to protect those who find flaws in production Web sites — as opposed to those who 'exploit' such flaws. Of course, the owners of sites often don't see the distinction between the two. Regardless of whether or not it's illegal to disclose Web vulnerabilities, it's certainly problematic, and perhaps a fool's errand. After all, have you seen how easy it is to find XSS flaws in Web sites? In fact, the Web is challenging the very definition of 'vulnerability,' and some researchers are scared. As one researcher in the story says: 'I'm intimidated by the possible consequences to my career, bank account, and sanity. I agree with [noted security researcher] H.D. Moore, as far as production websites are concerned: "There is no way to report a vulnerability safely."'"

6 of 198 comments (clear)

  1. Re: No good deed goes unpunished by nadamsieee · · Score: 2, Informative

    In the interest of full disclosure, Clare Boothe Luce said that. :)

  2. Re:So is it illegal too... by SpaceLifeForm · · Score: 2, Informative
    If the poster is not signed, who can be blamed?

    The problem is that there are many emperors that want to believe in security by obscurity, and when told they have no clothes, would rather shoot the messenger than face reality.

    --
    You are being MICROattacked, from various angles, in a SOFT manner.
  3. vulnerability disclosure: how much is too much? by rabblerouzer · · Score: 3, Informative

    Some interesting comments from Bruce Schneier and Marcus Ranum (and Microsoft too) on the debate. http://www2.csoonline.com/exclusives/column.html?C ID=28088

  4. Re:Moot issue? by wizzard2k · · Score: 4, Informative

    You could report it through a 3rd party like The Zero Day Initiative, a division of 3com's Tipping Point intrusion prevention service.

    That gives small time security experts a platform of anonymity to disclose vulnerabilities to anyone (not just 3com's customers) while retaining the possibility of a reward.

  5. Re:What's the problem? by Jussi+K.+Kojootti · · Score: 3, Informative

    That may be a race, but a race condition is something else...

  6. If you found an unlocked door at an airport by Beryllium+Sphere(tm) · · Score: 3, Informative

    Funny you should mention that. Just this year, a woman looking for her wallet pushed open a door to a parked airplane at Newark. An alarm went off. Nobody paid any attention. She was alone on the airplane for several minutes checking around the seat for her wallet.