Is It Illegal To Disclose a Web Vulnerability? 198
Scott writes "I'm submitting my own story on an important topic: Is it illegal to discover a vulnerability on a Web site? No one knows yet, but Eric McCarty's pleading guilty to hacking USC's web site was 'terrible and detrimental,' according to tech lawyer Jennifer Granick. She believes the law needs at least to be clarified, and preferably changed to protect those who find flaws in production Web sites — as opposed to those who 'exploit' such flaws. Of course, the owners of sites often don't see the distinction between the two. Regardless of whether or not it's illegal to disclose Web vulnerabilities, it's certainly problematic, and perhaps a fool's errand. After all, have you seen how easy it is to find XSS flaws in Web sites? In fact, the Web is challenging the very definition of 'vulnerability,' and some researchers are scared. As one researcher in the story says: 'I'm intimidated by the possible consequences to my career, bank account, and sanity. I agree with [noted security researcher] H.D. Moore, as far as production websites are concerned: "There is no way to report a vulnerability safely."'"
Re: No good deed goes unpunished (Score:3, Informative)
Re:So is it illegal too... (Score:3, Informative)
The problem is that there are many emperors that want to believe in security by obscurity, and when told they have no clothes, would rather shoot the messenger than face reality.
vulnerability disclosure: how much is too much? (Score:3, Informative)
Re:Moot issue? (Score:4, Informative)
That gives small time security experts a platform of anonymity to disclose vulnerabilities to anyone (not just 3com's customers) while retaining the possibility of a reward.
Re:What's the problem? (Score:4, Informative)
If you found an unlocked door at an airport (Score:4, Informative)