Slashdot Mirror

← Back to Stories (view on slashdot.org)

Security Researcher Threatened With Vulnerability Repair Bill

Posted by Soulskill on from the biting-a-helping-hand dept.

mask.of.sanity writes "A security consultant who quietly tipped off an Australian superannuation fund about a web vulnerability that potentially put millions of customers at risk has been slapped with a legal threat demanding he allow the company access to his computer, and warned he may be forced to pay the cost of fixing the flaw. A legal document (PDF) sent from the company demanded that the researcher provide its technical staff with access to his computer. The company acknowledged the researcher's work was altruistic and thanked him for his efforts, but warned that the disclosure, which was not previously made public, may have breached Australian law. The researcher had run a batch file to access about 500 accounts, which was then handed to the company to demonstrate the direct object reference vulnerability."

3 of 231 comments (clear)

  1. Lesson learned by nurb432 · · Score: 5, Insightful

    If you find a vulnerability, don't tell the people at risk, sell it or use it.

    Either that or move to a less stupid country.

    --
    ---- Booth was a patriot ----
    1. Re:Lesson learned by LifesABeach · · Score: 5, Insightful

      Well, lets just backup here a bit. If my neighbor discovers that part of my fence is broken, and walks onto my property to tell me so:
      1. Is the neighbor guilty of Trespassing?
      2. Is the neighbor guilty of causing the fence to be broken?
      3. Is the neighbor guilty of being the cause of the broken fence?
      4. Is the neighbor guilty of Negligence because the fence is broken?
      5. Is the neighbor guilty of Indirect Negligence because the fence is broken?
      6. Is the neighbor guilty of not maintaining the fence?
      7. Is the neighbor guilty of any damage because the fence is broken?

      Some Lawyer in their first year of business is going to carve up a Hedge Fund like a Christmas Turkey. Cheers!

  2. As the old idiom goes: by magsol · · Score: 5, Insightful

    No good deed goes unpunished.

    Being punished for doing the right thing tends to bias people towards hiding this sort of information, which would imply that your vulnerability isn't made public until someone slightly less kind happens upon it. Which is apparently the way these folks would prefer it be made public.

    --
    "I'd just like to emphasise that taking a million years isn't a metaphor here..." -Rich Bradshaw