LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for May 23, 2013

An "enum" for Python 3

An unexpected perf feature

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

The risks of disclosing web vulnerabilities

The risks of disclosing web vulnerabilities

Posted May 4, 2006 16:17 UTC (Thu) by copsewood (subscriber, #199)
Parent article: The risks of disclosing web vulnerabilities

I think there is a great difference between:

  • "researching" someone else's implementation of a program - which is used to store confidential data belonging to someone other than the security researcher, and
  • the security researcher implementing this program themselves, finding a vulnerability in their own implementation of it and giving the developer of this program appropriate time to fix it before publishing the exploit.
In the UK, as this article points out, this makes the difference between unauthorised and authorised access. Unless the system owner invites security reports of discovered vulnerabilities, effort should not be put into discovering these by an uninvited party. I may accidently leave my door unlocked. If someone sees keys left in the outside door and rings the doorbell to tell the house owner, this is authorised access. If they go in through an unlocked door or try to see how easy this is to pick and wonder around the house this is trespassing - as well as being a violation of privacy. Buying a particular make and model of door lock at a hardware shop and taking it home and working out how easy it is to break it or pick it and telling others about this is generally considered fair use and fair comment.

In cases such as these it is instructive to compare actions in the virtual domain with similar actions in the physical domain, to see how the latter would be regarded both socially and in legal terms. This is also a useful acid test of computer related legislation. Based on these criteria the DMCA fails a test that the UK Computer Misuse Act passes.

(Log in to post comments)

The risks of disclosing web vulnerabilities

Posted May 4, 2006 18:32 UTC (Thu) by oak (subscriber, #2786) [Link]

So, for example discussing on the public forums (of the corresponding
system) about whether anybody else had bumbed into a "funny feature"
of the system might be OK, as long as one doesn't try use it him/herself
nor mentions that it "might" be a security hole?

Could one be even outraged that the organization had "implemented" a
feature for disclosing sensitive information?

The risks of disclosing web vulnerabilities

Posted May 12, 2006 12:34 UTC (Fri) by copsewood (subscriber, #199) [Link]

"So, for example discussing on the public forums (of the corresponding
system) about whether anybody else had bumbed into a "funny feature"
of the system might be OK," OK in the UK and in common law. Might be illegal under some circumstances in the US.

"as long as one doesn't try use it him/herself" which I take to mean breaking and entering or trespassing in physical law and a violation of the UK Computer Misuse Act. I think US state computer laws vary, don't know whether covered by US federal law.

"nor mentions that it "might" be a security hole?" Legal AFAIK in the UK, illegal under the US DMCA which is in conflict with the US Constitution.

"Could one be even outraged that the organization had "implemented" a
feature for disclosing sensitive information?" How you feel is your own business. What you say could breach the DMCA in the US but not the UK Computer Misuse Act as I understand it. In the US the DMCA discourages you from doing the responsible thing which is telling the party with a known insecure system what's wrong so they can fix it.

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds