The risks of disclosing web vulnerabilities [LWN.net]

The risks of disclosing web vulnerabilities

Posted May 4, 2006 18:32 UTC (Thu) by oak (subscriber, #2786)
In reply to: The risks of disclosing web vulnerabilities by copsewood
Parent article: The risks of disclosing web vulnerabilities

So, for example discussing on the public forums (of the corresponding
system) about whether anybody else had bumbed into a "funny feature"
of the system might be OK, as long as one doesn't try use it him/herself
nor mentions that it "might" be a security hole?

Could one be even outraged that the organization had "implemented" a
feature for disclosing sensitive information?

(Log in to post comments)

The risks of disclosing web vulnerabilities

Posted May 12, 2006 12:34 UTC (Fri) by copsewood (subscriber, #199) [Link]

"So, for example discussing on the public forums (of the corresponding
system) about whether anybody else had bumbed into a "funny feature"
of the system might be OK," OK in the UK and in common law. Might be illegal under some circumstances in the US.

"as long as one doesn't try use it him/herself" which I take to mean breaking and entering or trespassing in physical law and a violation of the UK Computer Misuse Act. I think US state computer laws vary, don't know whether covered by US federal law.

"nor mentions that it "might" be a security hole?" Legal AFAIK in the UK, illegal under the US DMCA which is in conflict with the US Constitution.

"Could one be even outraged that the organization had "implemented" a
feature for disclosing sensitive information?" How you feel is your own business. What you say could breach the DMCA in the US but not the UK Computer Misuse Act as I understand it. In the US the DMCA discourages you from doing the responsible thing which is telling the party with a known insecure system what's wrong so they can fix it.