Lawsuits Threaten Infosec Research -- Just When We Need it Most

This year, two security reporters and one researcher will fight for their professional lives in court. Steve Ragan, senior staff writer at tech news site CSO, and Dan Goodin, security editor at Ars Technica, were last year named defendants in two separate lawsuits. The cases are different, but they have a common theme: they are being sued by the companies covered in articles they wrote. From a report: Although lawsuits targeting reporters, particularly on the security beat, are rare, legal threats are an occupational hazard that reporters are all too aware of -- from companies threatening to call an editor to demand a correction -- or else -- to a full-blown lawsuit. But the inevitable aftermath is a "chilling effect." White-hat hackers and security researchers hesitate to report vulnerabilities and weaknesses to technology firms for fear of facing legal retribution. With nation state attackers targeting elections and critical national security infrastructure on a near-daily basis, security research is needed more than ever.

SLAPP?

[Registered+Coward+v2]

IANAL, but i would seem some of the threats border on using threats of a lawsuit to silence critics. Unfortunately, it takes money to defend yourself so it may be less painful simply to shut up.

I wonder if the threat of discovery and fighting to keep it public would stop some lawsuits as it would force companies to reveal potentially damaging information. You want to sue? I'll prove what I said is materially correct by demanding your code, internal memos, etc. related to bugs. I guess we'd need a high powered lawyer who is interested in security to decide to do one pro-bono.

The other option is to anonymously release bug data as soon as they are discovered to screw over companies that threaten lawsuits. If they don't want to play nice it's time to stand up to them in other ways.