Is It Illegal To Disclose a Web Vulnerability?

Scott writes "I'm submitting my own story on an important topic: Is it illegal to discover a vulnerability on a Web site? No one knows yet, but Eric McCarty's pleading guilty to hacking USC's web site was 'terrible and detrimental,' according to tech lawyer Jennifer Granick. She believes the law needs at least to be clarified, and preferably changed to protect those who find flaws in production Web sites — as opposed to those who 'exploit' such flaws. Of course, the owners of sites often don't see the distinction between the two. Regardless of whether or not it's illegal to disclose Web vulnerabilities, it's certainly problematic, and perhaps a fool's errand. After all, have you seen how easy it is to find XSS flaws in Web sites? In fact, the Web is challenging the very definition of 'vulnerability,' and some researchers are scared. As one researcher in the story says: 'I'm intimidated by the possible consequences to my career, bank account, and sanity. I agree with [noted security researcher] H.D. Moore, as far as production websites are concerned: "There is no way to report a vulnerability safely."'"

Discover, or try to discover?

[gstoddart]

Is this about discovering a vulerability, or trying to discover a vulnerability?

If I click a link, and something breaks, and I've 'discovered' a problem, I've probably not done anything. It just broke, and I was the one who was there.

If I try to find a problem, and do (even if I don't exploit it), then I might have been doing something I shouldn't.

A real world example would be, if you get caught outside of a door, trying to pick the lock, and then claim you were trying to ensure their locks were safe, you might get charged bith attempted B&E. You don't get to do a security audit on people's front doors.

As much as we like to separate people into black hats and white hats, if you were trying to jimmy the lock, for whatever reason, you were probably doing something you shouldn't have been.

Just my 2 cents, anyway.

Re:So is it illegal too...

[Kadin2048]

It's not, except that what gets people in trouble, is when they try to take credit for a vulnerability they've found in a production website.

I doubt that you'd get in trouble -- and how could you? -- if you submitted the vulnerability, or even publicized it, anonymously. There are lots of ways to do this; Mixmaster comes to mind, and is practically invulnerable to tracing, particularly when your potential adversary isn't expecting an anonymous communication to come in.

If you found a problem, realize that no good is ever going to come to you because of it, and don't expect to ever be rewarded or thanked. Once you've acknowledged those things, there's no reason to attach your name to it, when you let them know.

It's when you try to have your cake and eat it too -- point out someone else's problem while getting rewarded for it -- that the problems really begin.