The risks of disclosing web vulnerabilities
Posted May 4, 2006 16:17 UTC (Thu) by copsewood
Parent article: The risks of disclosing web vulnerabilities
I think there is a great difference between:
- "researching" someone else's implementation of a program - which is used to store confidential data belonging to someone other than the security researcher, and
- the security researcher implementing this program themselves, finding a vulnerability in their own implementation of it and giving the developer of this program appropriate time to fix it before publishing the exploit.
In the UK, as this article points out, this makes the difference between unauthorised and authorised access. Unless the system owner invites security reports of discovered vulnerabilities, effort should not be put into discovering these by an uninvited party. I may accidently leave my door unlocked. If someone sees keys left in the outside door and rings the doorbell to tell the house owner, this is authorised access. If they go in through an unlocked door or try to see how easy this is to pick and wonder around the house this is trespassing - as well as being a violation of privacy. Buying a particular make and model of door lock at a hardware shop and taking it home and working out how easy it is to break it or pick it and telling others about this is generally considered fair use and fair comment.
In cases such as these it is instructive to compare actions in the virtual domain with similar actions in the physical domain, to see how the latter would be regarded both socially and in legal terms. This is also a useful acid test of computer related legislation. Based on these criteria the DMCA fails a test that the UK Computer Misuse Act passes.
to post comments)